Credit report heavyweight Equifax has warned that up to 400,000 UK consumers may have had their personal details stolen as part of a massive global data breach. Info on exactly who's been affected and what you can do about it is still somewhat sketchy, but here's what we know.
Equifax revealed on 8 September that 143 million consumers in the US could have been affected by the incident, which saw hackers access data such as names, address and dates of birth, as well as credit card numbers in a smaller number of cases.
Although its UK business – Equifax Ltd – now says systems in this country are not affected, it admits a file which was stored in the US and contained more limited personal information on up to 400,000 UK consumers may have been accessed.
What is Equifax and what data does it have?
Equifax is the second biggest credit reference agency in the UK, after Experian.
Like other such agencies, it holds information about you which prospective lenders use to assess you when you apply for a credit card, loan, mortgage or more.
This comes from four main sources – the publicly available electoral roll, court records, previous credit searches and account data shared by banks, building societies, utility companies and other organisations. See our Credit Scores guide for more info.
When did the hack happen and what info was taken?
The company says criminals accessed several files between mid-May and July this year. It says it found out about the hack on 29 July and immediately stopped any further intrusion.
Equifax says the info which was accessed relating to US citizens primarily included names, social security numbers, birth dates, addresses and, in some instances, driving licence numbers. The credit card numbers of 209,000 US consumers and dispute documents from about 182,000 US consumers were also accessed.
With UK consumers, the information which may have been accessed is limited to:
- Dates of birth
- Email addresses
- Telephone numbers
Equifax says no UK consumers had residential addresses, passwords or financial data accessed.
How can I check if my info was taken?
Equifax holds data on some 44 million people in the UK, and it says the data which was hacked doesn't relate to any particular business or institution – so there's no easy way of knowing if you're affected.
Equifax says it will be proactively writing to all affected consumers – but letters haven't gone out yet, and Equifax couldn't give us an exact deadline for when they'll be sent.
In the US, the company's set up a dedicated website – Equifax Security 2017 – which allows those with a US social security number to find out if they've been affected. Some people in the UK have posted on social media that they've tried using the website while entering their national insurance number – however, there's no indication that this actually works, and the site only addresses US customers.
If your info was taken, you'll be offered a free ID protection service
Equifax says those who receive a letter alerting them that their info has been taken will be offered in the same letter a free comprehensive identity protection service. This will allow you to monitor your personal data, including your credit information, and be alerted to any potential signs of fraudulent activity.
We've asked Equifax for more information on the identity protection service, and will update this story when we hear, although it says a full explanation will be offered in the letters.
What can I do if I'm worried?
The National Cyber Security Centre – the Government body that provides support in how to avoid computer security threats – says that no password-related data appears to be involved in this breach. Therefore, it doesn't believe there's any need for UK consumers to reset their passwords.
It says the main risk to those affected by the data breach is that they may be sent more targeted and more realistic 'phishing' messages – which attempt to obtain sensitive information such as credit card details and passwords.
Fraudsters could use the information that was potentially accessed to make their phishing messages look much more credible, including using real names and statements such as: "To show this is not a phishing email, we have included the month of your birth and the last three digits of your phone number".
The Information Commissioner's Office – the public body in the UK in charge of protecting your data rights – has also offered guidance to consumers.
It says: "Members of the public should remain vigilant of any unsolicited emails, texts or calls, even if it appears to be from a company they are familiar with. We also advise that people review their financial statements regularly for any unfamiliar activity.
"If any financial details appear to have been compromised, victims should immediately notify their bank or card company. If anyone thinks they may have been a victim of a cybercrime they should contact Action Fraud."