The Equifax hack means that up to 15.2 million records in the UK may have been hacked. What do you need to do about the Equifax hack?
Q. What’s the problem?
A. The US parent company of Equifax, one of the three credit reference agencies in the UK, announced in September that it had been hacked. The hack happened on July 29th this year. Equifax Inc in the United States said that the details of up to 143 million people in the US may have been accessed.
At the time it said that data from a limited number of people in the UK may also have been stolen, but it didn’t know exactly how many. On September 15th Equifax UK confirmed that up to 400,000 people here may have had their details stolen. Today (October 10th), Equifax UK said that 15.2 million UK records were stolen or accessed during the hack. This is far more than Equifax originally said.
Crucially, none of the information that was hacked was encrypted or hashed. Encrypted means it’s turned into a code – once you have the key to the code you can unscramble it. When data is hashed it’s – in theory – impossible to decrypt, although in practice it can be done. It certainly makes it harder.
Q. What information was stolen?
A. The statement Equifax released today is confusing to say the least. It also contradicts what the company said in September. This is what they’ve said today:
- A file containing 15.2 million UK records dating from 2011 to 2016 was hacked.
- 12,086 customers had their name plus the email address they used in 2014 hacked.
- 14,961 customers had their username, password, secret questions and answers and partial credit card details from 2014 hacked.
- 29,881 customers had their driving licence number hacked.
- 637,430 customers had their phone number accessed.
Equifax says that the rest of the data (14.5 million records) may contain the names and date of birth of certain customers.
Equifax said in September that it was ‘unlikely’ that people who have had their information stolen will be victims of identity fraud’. But I said at the time that they couldn’t know that. That’s because, even if financial data isn’t taken, ID fraudsters can – and do – jigsaw information. Namely, they can get some information from one source and combine it with information they’ve stolen elsewhere to try and commit identity fraud. Or they’ll piggyback off an event and try and – fraudulently – get more information from the company’s customers. None of this information was encrypted.
It is true that, in order to open credit accounts in your name, a fraudster would need your address and date of birth and probably information about your employment. But ID fraud can be – and is – committed with incomplete personal details. So be on your guard!
Q. What is Equifax doing?
A. Equifax is writing to over 700,000 customers. These fall into the first four groups of people (the 12,086 who had their name and email address from 2014 accessed, the 14,961 who had their username, password, security question etc from 2014 accessed, the 29,881 who had their driving licence number stolen and the 637,430 who had their phone number accessed).
It will either offer its own ID protection monitoring service or another company’s service, free of charge.This will let you monitor your personal data, including your credit report. You’ll also be contacted if there’s any potential sign of fraudulent activity.Because phone numbers have been stolen, Equifax says it won’t be ringing anyone, but has set up a freefone number that you can call seven days a week. It is: 0800 587 1584
Q. What should I do?
A. Look out for a letter from Equifax. I’m sure Equifax will offer this, but if it doesn’t, sign up for CIFAS protective registration. It costs £20 for two years and it means that there will be extra checks in place if someone applies for credit in your name.
I couldn’t find any information about the data breach on Equifax’s website in the UK, but there is a special website called Equifaxsecurity2017 (mainly aimed at US customers), with updates on the breach.
Q. What information does Equifax store?
A. Like the two other credit reference agencies, Experian and CallCredit, Equifax stores information on over 40 million adults in the UK.
This information is extensive and includes your name, addresses you’ve lived at over the last six years, any bankruptcies or county court judgments (CCJs) over the last six years, loans, credit agreements and/or bank accounts with overdrafts, plus things like mobile phone contracts (not pay as you go) and insurance that you pay for monthly, rather than in one go.
This information is used by financial companies to work out whether or not you’re a good risk before they decide whether or not to lend to you.
SavvyWoman email newsletters: If you found this information useful why not sign up now to receive free fortnightly email newsletters with money saving tips and help? You can sign up at the top of any page on the website and your details won’t be passed to any other company for marketing purposes.