/ Money

Have you received a ‘data breach’ letter from Equifax?  

data breach

Credit reference agency Equifax is writing to the near 700,000 UK individuals worst affected by its data breach – but will the letters cause further harm?

Five months after Equifax was hit by a major cyber-attack, the credit reference agency has begun writing to the 693,665 UK consumers who had details stolen.

The compromised information includes email addresses, passwords, driving licence numbers, phone numbers and partial credit card details. Equifax has said the letters will detail what data has been compromised for that particular recipient. To reduce the risk of identity fraud, Equifax is offering affected individuals a choice of free ID-monitoring services.

Yet there’s evidence that far from reassuring victims, Equifax’s letters are sparking panic among some recipients, with a few even questioning whether the letter itself is a scam.

That’s because many haven’t heard of the firm before and don’t know why it holds their data. Regrettably, the letter doesn’t answer these questions.

Who is Equifax?

Equifax has confirmed that just 3% of those it is contacting now were its direct customers. How is this possible?

As a credit reference agency, Equifax receives personal data from banks and financial institutions when someone applies for a bank account, mortgage or credit card. Consent for this is usually included in the application terms and conditions.

This means Equifax may hold data on you, even if you’ve never dealt with it directly. Others will have transacted with Equifax themselves by purchasing a credit report or identity-monitoring services from it.

What is Equifax offering?

If your data has been breached, you may be at heightened risk of identity fraud. To combat this, Equifax is offering free services that monitor how your identity is being used online – some of them are run by Equifax itself, and one is run by anti-fraud body, Cifas.

If you’re concerned about the security of Equifax’s own products, you can opt to be enrolled in Cifas’s Protective Registration scheme. However, you will still have to give some personal information to Equifax so it can enrol you for free.

It is possible to enrol directly through Cifas, although this will attract a £20 charge (for two years’ cover).

Scams risk

We’re concerned that scammers may try to capitalise on concern around the data breach by posing as Equifax in order to dupe individuals out of their data or money.

If you receive a letter regarding the Equifax data breach, and you aren’t sure if it’s genuine, look up Equifax’s number independently via a search engine or directory enquiries. Then give it a call to confirm the letter is genuine.

Is Equifax doing enough?

We want to know what you think of how Equifax handled the data breach. Do you think it’s acted promptly and adequately to protect customers? If you’ve received one of its letters, did you understand it, and did you take up its offer of free protection? If not, why not?


I have just reported my “concern” over this Equifax data leak – and UK Credit Reference Agencies in general – to the Information Commissioner’s Office.

Their PDF form was simply appalling to use: the text entry boxes provided were of a small fixed size, which meant scanning back was like reading through a letter box:-( Clearly, the Information Commissioner has NO IDEA about how to provide information feedback for us consumers!

I quoted the EU-US Privacy Shield.

The European Data Protection Supervisor issued an opinion on 30 May 2016 in which he stated that “the EU-US Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the European Court”. However, the European Commission adopted the framework on 12 July 2016. But President Trump then signed an Execuitve Order which states “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”.

But the European Commission states “The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US:

The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act.

The EU-US Umbrella Agreement, which enters into force on 1 February (2017). To finalise this agreement, the US Congress adopted a new law last year, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”

I asked what actions/recommendations is the ICO going to take/make regarding Equifax’s CRA license, and UK citizens’s access to the class actions now being launched in the United States for compensation against Equifax?

I am glad you verified what I have been saying for over a year about how all our data is OFFICIALLY transferred to the USA Mars Express , I think a year last August . It was done under Globalisation informational exchange and the security of the USA . I am sure many on this website thought I was lying as I got news right away of it happening through US sources . The EU have done the same to a slightly lesser extent. Remember when they all had those international meeting of the heads of states opf many countries protected by police dogs /MI5/ the Army etc etc , a meeting in Scotland and ithers abroad , all decided then , kept quiet from the public . Now its ypoo late and WE are not under the same protection as US citizens because –listen up all you “over the pond ” lovers WE are Foreigners in US Law and you know what I dont blame them . Its us that are the suckers for allowing this anybody knowing how things work in the USA would know OUR information will be available for cash either officially or unofficially , even FBI operatives were caught selling info. Yet I am a “conspiracy theorist ” , the word dreamed up by the CIA decades ago to combat leaks from official sources. Now you Mars will be joining the club of “conspirator theorists ” Its time we started a Gentleman’s club near Westminster, it would be full in no time helped greatly by the fake news coming out of it .

LizG says:
23 January 2018

I have only just received my letter and had no idea that Equifax held data of mine. It does explain which data has been accessed although it states “including your:……….” which could infer that more than that has been accessed. It also explains that it is data from a historic file created between 2011 and 2016 as part of a service used by their clients to verify their customers. Why are historic files not deleted once they have served their purpose?
I must admit my first thoughts were that it was a scam as the news of Equifax’s breach had passed me by and even if I had heard of it I am not sure I would have been worried given that I am a ‘third party’ to the event having not used Equifax directly.
I have now noticed further chat on social media that suggests that, to sign up to Equifax’s free services, more personal data will need to be disclosed.
As it appears that my data has been in the hands of the hackers since May 2017 (hardly recent Equifax!!) I think I will take a chance and rely on personal vigilance rather than hand over even more data to potential hackers.

John lowe says:
23 January 2018

I suggest that all people who receive Equifax’s “personal data has been accessed” letters write to their MP voicing their fears and demanding a Parliamentary response!! If they receive all 700000 that should cause a furore.

I have only just received a letter dated Jan 23 2018 !
It includes all the details you list.
It starts with a very menacing “Your personal data has been accessed; please read this letter and take action to protect yourself” in bold letters.It says my name ,date of birth and landline telephone number were stolen.I have noticed an increase in telephone scam activity in recent weeks, but I am registered with BT’s blocking service and can report specific numbers etc. My name and telephone number are available in the telephone directory anyway. so my DOB is the only issue. There is no way I am prepared to give a company that I did not even know held data on file about me any additional information on credit cards , driving license etc. I am also appalled that they have taken since May 2017 to alert me.they make no mention of other data they hold on me that was not accessed but they obviously have my home address.

Geoffrey Dent says:
24 January 2018

Received one today, two months after this conversation started. Absolutely no confidence in any system which means passing more data to this company.

Hi Geoff, yes we’re aware that Equifax has informed a further 167,000 victims of its data breach. As far as we’re aware over 860,000 letters have been sent so far. Equifax has said it has decided to write to thousands more victims whose landline telephone numbers were already published in public telephone directories but were accessed as part of last year’s cyber-attack. If you’re not sure if the letter is genuine, then you can call Equifax on 0800 587 1584 to confirm the letter. If your data has been breached, you may be at heightened risk of identity fraud. To combat this, Equifax is offering its worst-affected UK customers free services which monitor whether your identity has been compromised online. We have advice on what to do if your data has been lost or stolen here: https://www.which.co.uk/consumer-rights/advice/my-data-has-been-lost-what-are-my-rights

Like others, I have only just received a letter from Equifax (24.01.18), a company I had not heard of before never mind known they held my personal data!

I am struck by what they say about protecting myself, particularly, “The hacker has had access to your data since May 2017 when the attack occurred. It is therefore vital that you check whether any fraudulent activity might have occurred during this period using your personal information without your consent.”

And how, pray tell bearing in mind I am not a forensic accountant or cyber security expert, am I meant to do that!?!? Unless that is they expect me to sign up to their ‘offer’ of Equifax Protect? If this were April 1st I would having a laugh… How can anyone possibly think I would feel any confidence in what this bunch (or any of their ilk) could offer?

I am, however, deeply concerned that should at anytime in the future my identity be stolen or my finances compromised they will:
a) Take the position that such activity cannot be proven to be as a result of this breach
b) Argue that it is my fault for not taking up their offer of Equifax Protect

Surely something has to be done to protect us from such abuse of technologically driven power and incompetence?

I’ve had a letter from Equifax dated 20/07/2018 stating my “Personal Data has been accessed” following a recent cyberattack against Equifax. I’ve never heard of them but they are offering their help in sorting this out.

I just don’t know what to do. Should I contact them, as they suggest, to sort it out of, should I ignore it?

Wrote to Which about this, I was expecting some advice on what to do. Isn’t that what the consumers champion is about?

I also waited for some superior answers to the above two posts-and waited. According to my US sources -quote- under no circumstances provide Equifax with additional info. I have the facts on their loose security covered up by US authorities but busted in the end . No action was taken against them as it would hurt profits in US big business , even suing them was blocked . Like the banks -too big to fall. I am sure now I have posted this every man/woman and their dog will come on and say how wonderful the company is .

I received my letter on Wednesday (24 Jan) after querying on Tuesday why I had failed credit checks (for the first time ever) when applying to take out an additional service with my mobile phone provider. When I spoke to Equifax (who I have never had any dealings with before), they offered to sell me a copy of my credit report or enrol me as a member for nearly £15 per month. The arrival of this letter the next day was clearly no coincidence, but why not offer me this free service on Tuesday over the phone instead of trying to sell me protection? My credit rating appears to be very high after joining Equifax using the reference provided on the letter – I have no idea what is going on, but of course I am very concerned, and really have no idea what to do to try to protect identity fraud, or find out if it has already happened.

Graham says:
30 January 2018

I also received a letter recently and will not be taking up the offer of additional services due to the need to provide even more information to them. Is there any reason why they couldn’t sign up affected users to their Protect service without disclosing any further information?

Having received a letter I have been trying to sign up for the web defence services. I have had trouble logging into the site and the support they have provided is extremely poor. Emails have not been received when they have been promised over the phone, and support responses have been logged (according to emails i’ve received from them), in their support area which I am not able to access and is partly why I’ve been calling in the first place. After 3 weeks I am extremely frustrated.

Celine-According to Equifax -quote- you must use a “standard web browser ” – ie one of Microsoft,s or Google. They must be truly open with no blockers etc , they want to know who you are right away. Graham- everything is money in the USA they want your info to make additional profit as I have said in previous posts your info gets distributed everywhere they can make money out of it . US citizens come first I am afraid as you are dealing direct with the USA Celine . I have had no trouble accessing Equifax customer support website but obviously I cant input customer details first as I am not a customer but I did get by the first stage and that was using a small LInux type browser , I suspect there is something about your browser Equifax dont like as they employ private data logistics to analyse all contacts with them.

On 27th December 2017 I wrote to the Information Commissioners’ Office:

I have attached a completed Information-handling-form.pdf See (*)

It was extremely difficult to complete due to the INFLEXIBILITY of the entry boxes.

I notice that the Information Commissioner, Elizabeth Denham, has a degree in history. It shows in the poor quality of the design of this form: most competent organisations dealing in information would have used extendable boxes for text entry!


Need help?

Call our helpline 0303 123 1113

Report a concern about how an organisation handled your information

Use this form to report a concern that you have been unable to resolve with an organisation. If we think the organisation has not complied with its obligations, we will use the information to give advice and ask it to solve the problem. We cannot award you compensation. Our main aim is to improve the information rights practices of organisations, where there is an opportunity for us to do so.

You should raise your concern with us within three months of your last meaningful contact with the organisation. We may not investigate older cases.

1. What do you think the ICO can do to help?

Please use this space to explain how you think the ICO can help you. We will respond, even if we think we cannot achieve what you want.

My response:

“Make recommendations to Government to better regulate UK-Registered Credit Reference Agencies, specifically concerning:

(1) the failure to apply security updates and patches to data servers

(2) the holding and transmission of personal records in an unencrypted form

(3) the failure to notify users and Government Agencies of data breaches in a timely manner

(4) the (secret) exportation of UK citizens’ personal data beyond the jurisdiction of the UK where such data may be abused and where our data laws do not then apply

(5) their failure to maintain secure data servers abroad

(6) an enforceable programme of cyber security monitoring and reporting

(7) failure to comply with any/all of the above rendering their license subject to suspension.”

2. What is your concern?

For example, are you concerned that the organisation:

is not keeping your information secure;

holds information about you that is inaccurate;

has disclosed information about you;

has kept information about you for longer than is necessary;

has collected information for one reason and is now using it for

something else; or

has sent you someone else’s personal information.

My response:

“My personal data has been held unencrypted on an insecure and ill-maintained data server outside of the jurisdiction of the UK, without my knowledge. I reported suspicious activity on my account to Equifax on May 5th 2017, to which they acknowledged that they “had some problems with our online systems”. They said they were “looking into this issue at the moment”.

However, I did not receive notification from Equifax that my personal data had been “accessed following a recent(!) cyberattack” until November 18th 2017. That notification informed me that “the hacker has had access to (my) data since May 2017 when the attack occurred” ie. when I first informed them of suspicious activity on my account!

Equifax Reference Number: xxxxxxxxxxxx

This hack was not reported in the press until 7th September in the New York Times. On 11th September 2017 there was speculation in The Register that 44 million UK consumers may have been compromised, which was followed up in The Guardian on 16th September. This was not confirmed until 12th October 2017 when The Register published a report from the UK Treasury Committee Chairman that “Equifax has had weeks to get a grip on its incident response but has messed up at every turn.”

The European Data Protection Supervisor issued an opinion on 30 May 2016 in which he stated that “the EU-US Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the European Court”. However, the European Commission adopted the framework on 12 July 2016. But President Trump then signed an Executive Order which states “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”.

But the European Commission states “The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US:

(1) The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act.

(2) The EU-US Umbrella Agreement, which enters into force on 1 February (2017). To finalise this agreement, the US Congress adopted a new law last year, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”

What actions/recommendations is the ICO going to take/make regarding Equifax’s CRA license, and UK citizens’s access to the class actions now being launched in the United States for compensation against Equifax? ”

Please send us copies of relevant documents that support your concern. For example, if you are concerned that personal information is not accurate, please send us documents showing that information is inaccurate and correspondence that shows you raising your concern with the organisation, and any response.

3. Details of the organisation your concern is about

Organisation: Contact name: Address:


Postcode: Telephone: Email:

4. Your details

Or, if you’re filling this in on behalf of someone else, put their details here.

First name:
Last name: Address:
Daytime telephone: Email:

Who should we contact? (if different from above)

We will use the contact details above unless you would prefer us to deal with someone else. If you are filling in this form for somebody else, you will need to provide us with a signed authority from them to deal with you on their behalf.

First name: Last name: Address: Postcode: Telephone: Email:

5. Declaration

I understand that the ICO may need to share the information I have provided so they can look into my concern. I have indicated any documents or information that I don’t want the ICO to share.

I understand that the ICO will electronically store the information relating to my concern including the documents I have provided and keep the electronic records for two years, or for longer if it is appropriate. The ICO will destroy the original hard copies after six months.

I agree. Date:

Need help?

Call our helpline 0303 123 1113


6. Sending your form to us

By email

Fill in this form and save it to your computer.

Open a new email, with ‘Concern about an organisation’s handling of

personal information’ in the subject line.

If you have all your supporting documents electronically, attach them to

your email.

Email the completed form to casework@ico.org.uk

By post

If you have only paper copies of any of your supporting documents, print this form and post it with all your supporting documents to:

Customer Contact
Information Commissioner’s Office Wycliffe House
Water Lane
Cheshire SK9 5AF

Need help?

Call our helpline 0303 123 1113

On 5th February, 2018 I received the following response to my complaint about Equifax from the Information Commissioners’ Office:

I write in response to your correspondence of 27 December 2018 in which you raise concerns about Equifax.

Our aim is to improve information rights practices within organisations. We do this by taking an overview of all concerns that are raised about organisations with a view to improving their compliance with the Data Protection Act 1998 (‘the Act’).

We cannot look into every concern we receive. We will put most of our effort into dealing with matters we think give us the best chance of making the biggest difference to information rights practices.

Depending on the circumstances, we may give advice about handling personal information, provide guidance, or ask them to review their procedures.

From your correspondence we understand that your main concerns are;

That the personal data that Equifax holds is no longer secure;
That Equifax has transferred personal data to the USA; and
The time taken by Equifax to report the data breach.
Next steps

The ICO understands that Equifax suffered a cyberattack during May 2017 resulting in a number of UK customers’ personal data being put at risk. Equifax have now written to customers affected by this breach to advise them what personal data has been compromised.

Both the Financial Conduct Authority and the ICO are investigating the data breach, the transfer of data to the USA and the time taken to report the breach. The outcome of this investigation will be made available to the public on our website.

I note your question about compensation from Equifax. Regrettably, the ICO does not award compensation. You may wish to contact the Financial Ombudsman Service (FOS) regarding this matter (http://www.financial-ombudsman.org.uk/)

Guidance is included with this letter about steps you can take to reduce your risk of identity theft and signs you may wish to look out for. If you believe that your data has been used unlawfully, you should contact one of the agencies listed for further advice.

Yours sincerely,

Craig Marsden
Lead Case Officer
Information Commissioner’s Office
01625 545249

Feedback about our service
If you think I should have done something differently in how I have handled your concerns, or how I have treated you, please tell me.

On 5th February 2018, the Information Commissioners’ Office also sent the following general advice to me (see above):

Identity theft

Your identity is one of your most valuable assets. If your identity is stolen, you can lose money and may find it difficult to get loans, credit cards or a mortgage.

Your name, address and date of birth provide enough information to create another ‘you’. An identity thief can use a number of methods to find out your personal information and will then use it to open bank accounts, take out credit cards and apply for state benefits in your name.

What signs should I look out for?

There are a number of signs to look out for that may mean you are or may become a victim of identity theft:

You have lost or have important documents stolen, such as your passport or driving licence.
Mail from your bank or utility provider doesn’t arrive.
Items that you don’t recognise appear on your bank or credit card statement.
You apply for state benefits, but are told you are already claiming.
You receive bills or receipts for goods or services you haven’t asked for.
You are refused financial services, credit cards or a loan, despite having a good credit rating.
You receive letters in your name from solicitors or debt collectors for debts that aren’t yours.

How do I reduce the risk of identity theft?

Store any documents carrying personal information – such as your driving licence, passport, bank statements, utility bills or credit card transaction receipts – in a safe and secure place.

Shred or destroy your old documents so that nothing showing your name, address or other personal details can be taken.

Monitor your credit report and regularly check your credit card and bank statements for suspicious activity.

When you move house, contact your bank, credit and store card providers, mobile phone provider, utility providers, TV licensing, your doctor and dentist etc, and give them your new address – you don’t want the new tenants to have access to letters containing your personal information. You can also redirect your mail by contacting Royal Mail.

Remember, less is more. The less you give away about yourself, the lower the risk of information falling into the wrong hands.

Think before you buy online – use a secure website which displays the company’s contact details, look for a golden padlock symbol and a clear privacy and returns policy. Check the web address begins with https.

What can I do if I’m a victim of identity theft?

If you think you are a victim identity theft or fraud, act quickly to ensure you are not liable for any financial losses.

Report all lost or stolen documents, such as passports, driving licences, credit cards and cheque books to the organisation that issued them.

Inform your bank, building society and credit card company of any unusual transactions on your statement.

Request a copy of your credit file to check for any suspicious credit applications.

Report the theft of personal documents and suspicious credit applications to the police and ask for a crime reference number.

Contact CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. Once you have registered you should be aware that CIFAS members will carry out extra checks to see when anyone, including you, applies for a financial service, such as a loan, using your address.

CIFAS – The UK’s Fraud Prevention Service
6th Floor
Lynton House
7 – 12 Tavistock Square


You can also get more advice at:

Action Fraud http://www.actionfraud.police.uk
Bank Safe Online http://www.banksafeonline.org.uk
Financial Ombudsman Service Telephone: 0800 0 234567 http://www.financial-ombudsman.org.uk

CardWatch c/o APACS
Mercury House
Triton Court
14 Finsbury Square London EC2A 1LQ http://www.cardwatch.org.uk

To report the theft or loss of post and other important documents:

Royal Mail
Telephone: 08457 740 740 http://www.royalmail.com

Rachel Langley says:
9 February 2018

[Your comment has been removed for being off-topic and promotional, which breaches our Community Guidelines. https://conversation.which.co.uk/commenting-guidelines/ Thanks, mods.]

The truth about these breaches is yet to come out – if it ever will. However, it looks like Equifax have admitted yet again that the breach is worse than they originally admitted – after the last admission.


What beggars belief is how it is still impossible to get a bank account in the UK without signing up to allowing the banks to send you personal details to Equifax. I opened my daughters first account with RBS a few weeks ago. It was a case of either agree that we send Equifax your daughters personal data or we cannot open an account for you. I explained the security issues and ongoing “investigations” by the FCA and ICO and the poor RBS employee didn’t have a clue what I was talking about.

The sad reality of the Equifax situation is obvious. The UK Government would have to admit that it has no control whatsoever over UK citizens personal data. It would have to admit that by opening a bank account or voting in a Government election UK citizens leave themselves open to identity theft and fraud. They would need to admit that as the data is held outside their jurisdiction there is absolutely no recourse for the UK citizen when they suffer fraud / identity theft.

Neither the ICO or the FCA have been able to produce a statement reassuring UK citizens that opening a bank account or registering to vote in an election is safe to do. That is an infringement of very basic rights. Why is this not headline news?

Crimes have been committed against over 15M UK citizens. Taxpayers pay for the ICO, FCA and many other very expensive organisations to protect us from such crimes. They cannot even reassure us of the safety of our basic right to open a bank account or register to vote.

I just got a letter through from Equifax following the Financial Ombudsman raising my complaint with them. It provides the same number that was in the original letter. This number takes you to an outsourced contact centre provider in the Philippines. They attempt to take more data from you. When asked where the data will be stored they refuse to answer saying instead that the UK HQ is in Leicester. When asked if they data they capture is stored at that site they say they cannot provide that information.
When asked where the data that was breached is stored and what new measures have been implemented they again refuse to answer. They have a standard response provided to them that is not even factually correct regarding the historical malpractice that led to the breach in the first place. They also provide contact details for the ICO. So I gave them a call on the off chance they might actually have meaningful information.
After a half hour wait to get through – they say this is because of GDPR deadline in May – they delivered the same nonsense about an ongoing investigation. I asked what advice they are giving victims of the breach / malpractice – they aren’t giving any as it is an ongoing investigation.
I went on to ask if they could reassure me that the data is now held in a location that is under the jurisdiction of the UK Government. They could not confirm this – just that the investigation is ongoing.
I pointed out that when I asked Equifax to remove my details from their systems I was told that legally they were not allowed to do that. I was referred to the previous response about the investigation being ongoing. What we need is a full public enquiry into how Government and the Finance industry has been so lax in protecting UK citizens personal data and why they did not ensure and confirm that the data was held in the UK and under the responsibility of a UK Data controller. By not doing this all the government departments and finance and utilities companies should be held accountable.
Instead the same inadequate privacy agreements that were in place when the breach happened are still in operation. Why are the banks, utility companies and government departments that have been so careless in ensuring the safety of UK citizen’s data not being taken to task by the ICO, FCA, etc.
A full public enquiry is required to sort out how these institutions have left over 15M UK citizens at risk.

As you know -Equifax extended free credit monitoring to all Americans but I have just been informed but to placate the US even further they are now extending the offer to allow their top competitor-Experian to allow credit monitoring services for the 148Million users of Equifax .
And the UK customers ?? –still waiting for compensation -and the new offer of free credit monitoring given to the USA ?
In any case all customers data will be transferred to Experian .
Funny, wasn’t Experian,s servers hacked in the past – yes .