Almost 700,000 British victims of the Equifax hack are receiving letters offering a free fraud protection service. But you'll need to hand over personal details to get it – and many say the helpline the letter directs you to isn't working properly.
The credit report heavyweight is writing to UK consumers to warn them their personal details have been compromised, after it announced in September its US parent company had been the victim of a cyber-attack five months earlier.
We've been contacted by lots of MoneySavers who are confused and alarmed by the letter, some of whom had no idea what Equifax is or why it held their data. If you're affected, here's what you need to know.
What is Equifax and what data does it have?
Equifax is the second biggest credit-reference agency in the UK, after Experian. Like other such agencies, it holds information about you which prospective lenders use to assess you when you apply for a credit card, loan, mortgage or more.
Crucially, Equifax doesn't just hold data on customers who've used its credit report services – it holds data on some 44 million people in the UK. So you could have been a victim of the data breach even if you'd never heard of Equifax before.
The data Equifax holds comes from four main sources – the publicly available electoral roll, court records, previous credit searches and account data shared by banks, building societies, utility companies and other organisations. See our Credit Scores guide for more info.
What details were hacked?
Equifax has confirmed 15.2 million UK records, dated between 2011 and 2016, were targeted.
It says 14.5 million of these may contain names and dates of birth, but the fact they've been breached should not pose any "significant risk", and these customers won't be contacted.
However, it is contacting the remaining 693,665 consumers. The numbers affected and information taken can be broken down as follows:
- 637,430 consumers had their phone number accessed.
- 29,188 consumers had their driving licence number accessed.
- 14,961 consumers had parts of their Equifax.co.uk membership details from 2014 accessed, such as username, password, secret questions and answers and partial credit card details.
- 12,086 consumers had an email address associated with their Equifax.co.uk account in 2014 accessed.
There's a helpline to call – but it's struggling
The letter tells consumers that if they have questions about what the data breach means and how Equifax can support them, they can call a freephone helpline between 8am and 8pm, seven days a week – the number's 0800 587 1584.
Yet we've received numerous reports that this helpline isn't working properly – most MoneySavers who've told us they've had problems say they got no ring tone. For example, David said: "I have tried to call a number of times this afternoon and it doesn't even ring."
We've tried calling it five times ourselves today and also got no ring tone, though on our latest check we did get through. Equifax insists the phone line IS working properly and says simply that it's very busy, so you should try again. We've asked why users are getting no ring tone rather than some kind of message and will update this story when we hear back.
You can get free monitoring services – but must give your details
The letter details a number of free services to "reduce your risk" following the hack. These include:
- Equifax Protect – a credit-report monitoring service to alert you to any changes on your credit report.
- Equifax WebDefend – a web monitoring service to alert you if your personal details are used on the web.
- Equifax Postal Service – to get a copy of your credit report by post.
- Cifas Protective Registration – a fraud protection service.
However, to access the majority of these free services, you'll need to sign up, online or on the phone if you can get through.
To do so, you'll need to give the reference number included in the letter, but will also be asked to give additional personal info – your name, address, date of birth and email address – and create security questions. Equifax says you won't be asked for any payment details.
'I don't want to give my personal details to their so-called protection'
We've been contacted by a lot of concerned users who've received the letters:
- John said: "Received a letter today saying my data in the USA has been hacked! Why is my data held in a foreign county? What is our Government doing about it? I don't particularly want to give any more data out to a company which has been hacked – that's madness."
- Gillian said: "I have received a letter today from Equifax informing me that my name, date of birth and telephone number have been accessed. I was unaware that Equifax had any information about me."
- Patricia said: "Received my letter today, don't know what to do. I don't want to give my personal details to their so-called protection for the next 12 months – anybody else feel like this?"
Do I have to sign up to the Equifax services?
No, it's entirely up to you. Equifax says that doing so may help "reduce your risk", and you won't be charged for the services. But there's no guarantee the services will stop your data being fraudulently used and you will have to provide further personal details, so you need to weigh up what to do.
Equifax says it will not be taking any payment details, and if you ask for the services to last longer than 12 months, it will sign you up for a further 12 months free of charge.
What can I do to protect myself?
If your data has been accessed, here's what you can do:
- If your password or security answers were taken, change them ASAP. Only a small proportion of the UK consumers affected had passwords and other login details taken, and these were from 2014. But if you've used the same password or security questions and answers anywhere else, make sure you change them. See our Password Security guide for more help.
- Be vigilant – watch out for possible fraud. The Information Commissioner's Office has warned consumers to watch out for unsolicited emails, texts or calls, even if they appear to be from a company you're familiar with. There's a risk fraudsters could use data which was taken to make 'phishing' messages more credible – these attempt to obtain sensitive info such as credit card details. See our Stop Scams guide for more help.
- Weigh up whether to use Equifax's free services. It says these may help reduce your risk, but you'll need to decide if they're worth it. You could instead look at similar services from other providers, though when it comes to things like web monitoring you may have to pay.
Is Equifax being investigated over the hack?
The Financial Conduct Authority (FCA) has confirmed it's investigating, and working with the Information Commissioner's Office.
Andrew Bailey, chief executive of the FCA, recently wrote to Nicky Morgan MP, chair of the Treasury Select Committee, to say the regulator is taking the matter "extremely seriously".
Will Equifax pay out compensation for the hack?
A spokesperson said the company won't be paying any cash compensation. The FCA could order Equifax to pay redress, but there's no indication of that as yet. We'll continue to follow this story and give an update as soon as we know anything new.