/ Money

Have you received a ‘data breach’ letter from Equifax?  

data breach

Credit reference agency Equifax is writing to the near 700,000 UK individuals worst affected by its data breach – but will the letters cause further harm?

Five months after Equifax was hit by a major cyber-attack, the credit reference agency has begun writing to the 693,665 UK consumers who had details stolen.

The compromised information includes email addresses, passwords, driving licence numbers, phone numbers and partial credit card details. Equifax has said the letters will detail what data has been compromised for that particular recipient. To reduce the risk of identity fraud, Equifax is offering affected individuals a choice of free ID-monitoring services.

Yet there’s evidence that far from reassuring victims, Equifax’s letters are sparking panic among some recipients, with a few even questioning whether the letter itself is a scam.

That’s because many haven’t heard of the firm before and don’t know why it holds their data. Regrettably, the letter doesn’t answer these questions.

Who is Equifax?

Equifax has confirmed that just 3% of those it is contacting now were its direct customers. How is this possible?

As a credit reference agency, Equifax receives personal data from banks and financial institutions when someone applies for a bank account, mortgage or credit card. Consent for this is usually included in the application terms and conditions.

This means Equifax may hold data on you, even if you’ve never dealt with it directly. Others will have transacted with Equifax themselves by purchasing a credit report or identity-monitoring services from it.

What is Equifax offering?

If your data has been breached, you may be at heightened risk of identity fraud. To combat this, Equifax is offering free services that monitor how your identity is being used online – some of them are run by Equifax itself, and one is run by anti-fraud body, Cifas.

If you’re concerned about the security of Equifax’s own products, you can opt to be enrolled in Cifas’s Protective Registration scheme. However, you will still have to give some personal information to Equifax so it can enrol you for free.

It is possible to enrol directly through Cifas, although this will attract a £20 charge (for two years’ cover).

Scams risk

We’re concerned that scammers may try to capitalise on concern around the data breach by posing as Equifax in order to dupe individuals out of their data or money.

If you receive a letter regarding the Equifax data breach, and you aren’t sure if it’s genuine, look up Equifax’s number independently via a search engine or directory enquiries. Then give it a call to confirm the letter is genuine.

Is Equifax doing enough?

We want to know what you think of how Equifax handled the data breach. Do you think it’s acted promptly and adequately to protect customers? If you’ve received one of its letters, did you understand it, and did you take up its offer of free protection? If not, why not?

Comments

They knew about it in March , but Congress has voted against the American public suing them , it includes 11 million driving licences and a massive number of national Insurance . As the convo heading hints Equifax is being very conservative with the amount and range of the hack , they are under Senate investigation just now numbers -143 million consumers data hacked (Bloomberg ) and tes their worldwide organisation has been hacked not just American’s. Guess what stock went massively down -30 % but before it did many Equifax executives SOLD off their shares , the US Justice Department is investigating . My question is why all this time to make an issue of it as the US media and tech websites were reporting it months ago ? I got emailed long ago and I am, looking at US websites dates of it being reported to the American people. EX Equifax CEO . secured a $7.5 million contract with the IRS . Already its data is up for sale and that could mean YOUR data I even saw their photo of the website selling it . Plenty more info if needed .

It’s getting to the stage where anything written by anyone has to be looked at with suspicion. What is even more alarming is that even though passwords are secure and everything done on line is encrypted and protected properly, it still isn’t safe. At some point every detail that you wish to keep secret is stored somewhere so that it can be verified and the transactions approved. We have no method of protecting that data and no way of knowing whether it has been stolen. Then a red faced company owns up to a data breach and the criminals get busy raking in our cash and selling our lives to others round the world. When this happens to enough people, the system will crash because no one will want to use it any more. It is only the convenience and simplicity that keeps it alive. The more we rely on internet finance, the harder it will be to change habit but there will be a tipping point and a judgement as to whether this is worth the risk.

Patrick Taylor says:
11 November 2017

And what cash reimbursement to those affected by the breach. I am talking about the consequent stress from reading the Equifax letter and becoming even more paranoid about the inadequacies of a sstem ran by Equifax and others.

£50 per person perhaps for now? And of course any serious attack may need further reimbursement for the individuals suffering.

Suing Equifax in the USA has been banned by Congress Patrick . California already has a claim in and others but what is the reaction from TM -sue or not to sue ?

It hasn’t been banned, Duncan; Trump hasn’t yet signed it into law. If he does, however, I suspect it’ll only be a temporary reprieve, as the vote on this was 50/50, with Pence having the casting vote.

Duncan – I would hazard a guess that the Prime Minister doesn’t know anything about this let alone have a policy on it.

Now that, to me is one of the best pieces of ” brightening up your day ” I have heard John – unconscious comedian ?

Well, it was intended as a serious point, Duncan. Many people think the top echelons of government are omniscient, but they only know what the civil servants tell them, and that is as little as they can get away with. The PM relies on the various secretaries of state and junior ministers to deal with the daily flotsam and jetsam of public affairs – and that just within their narrow remit – and only to brief her if it’s going to blow up into a big political issue. Ministers are not required to be intelligent on things – that is just an accidental outcome on occasions, or beginner’s luck; they are presented with binary options which they tick in an algorithmic way. This is the way the country is run and it is the best system; it avoids having to give credit to politicians which could sink them later in their careers. They wouldn’t last two minutes in commerce or industry, or in the military.

DEBORAH JONES says:
11 November 2017

I was absolutely stunned to receive a letter: I am still trying to work out how useful the data is to anyone given much of it would be in the public domain anyway – but I am worried they might have lost more than they think.

Its the lead on consequences from it Deborah . now they have the National insurance numbers that allows access to many other secure government websites holding personal data . US driving licenses provide a lot of info for criminals .

Linda says:
14 November 2017

I received letter yesterday dated 6/11/17. Said recent cyberattack against Equifax in US then lower down the page said it happened in May! Explains all the international and nuisance calls have been getting. Couldn’t believe they had listed free available services to protect me. What a joke!! They haven’t even contacted everyone who’said data has been accessed either. It’s appalling.

Yes Linda I mentioned that in a previous post . They at first , refused to admit it (lied ) and then were forced to due to certain tech websites in the USA publishing it and it getting into US newspapers. By the way LInda they are not the only large company to lie about this type of thing , its “legendary ” in tech circles . As some of them say – the truth is what I make it.

Is it legal for my personal details to have been ‘exported’ to USA by Equifax. How did my details come to be on a US data base. Have Equifax broken the Data Protection Laws??

Anon -HMG AND the EU under a trade agreement and after a lot of talk about it in other countries but not here agreed to it . This country silently introduced it a year last August that our data be held in US servers. What isn’t being told as we speak is that SOME of our MEDICAL data is already in US hands and this country again silently will export it to the US . There have been so many breaches there and selling to third parties so that they can email/phone you about “cures ” for your illnesses that you would get fed up me posting them but I get notified , not just from one source in the USA but multiple . Lets face facts your private data is there data. There is no public secrecy left only if you are rich enough or are at government level. You want more ? I have been saying for a long time that GCHQ/NSA also hold all our data well listen to this . The New York Times has just published an article detailing the selling of the backdoors that both have in our communications ALL digital communications . A large number of this official malware is out there under various well known names so all my warnings about backdoors have proved correct and that the NSA are the WEAK link (at the moment ) not the GCHQ , we are just stupid enough to give it to them and assist in creating backdoors . I have archived both articles if anybody disbelieves me . Honestly ?? you no longer have a private life because of the web and digital electronics . The USA hold the biggest data collection in the world on us – Big Data its called- be happy !

David says:
21 November 2017

My letter doesn’t mention the data was hacked in the USA but Equifax sent it to my home address. So I wonder if address details are kept separate from the other details that were hacked ?

David -the hack was in the USA , my point is that our data in the UK is transferred to US servers and “Cloud ” has been hacked . Your address is the minimum they got , in reality they got a lot more personal info. Globalisation now means UK data is transferred to the USA our beloved government agreed to it a year or more ago.

Richard says:
22 November 2017

Has anyone got access to definitive advice as to whether one should accept the offer of “Free Services” from Equifax?

Some observers say yes, some say it might make things worse!

Hardly a re-assuring situation!

That depends Richard as to whether the “free” services offered are the same “free ” services offered to US citizens . I take it that you have been offered constant monitoring and tools to help keep your data safe , as well as “free ” credit checks ? But in the USA from January 31st Equifax are offering a new “free ” service its called Credit Locking to stop criminals even if they HAVE your data from opening an account have you been offered that ? This to me is not too reassuring if you think about it , it means hackers could still access your data but use it for other types of financial gain and believe me from my years investing what hackers can do they arent going to be stopped anytime soon . As I said on another post even the FBI have asked Amazon to keep their data on you in a special cloud server. They know what hackers can do as its them that created the back doors . If you sustained a loss the US are suing but that doesn’t apply here and I have been told- dont talk about the USA , I think because it upsets UK citizens on the different treatment our government applies .

Hi Richard, you should have been offered a free credit monitoring from other providers, not just Equifax. It’s understandable that some won’t want to go with Equifax, which is why they should be able to take up an alternative service. Let us know if this isn’t the case.

Norman Minty says:
23 November 2017

My wife and I both received one of these letters today 23/11/2017. Without doubt it caused alarm to both of us especially as we have never heard of Equifax.

Having received the letter my scam antennae went up immediately and I started to research Equifax and the data breach. This I did via the BBC site and the Which website. As advised, I then searched for the customer relations service of Equifax, which although a UK Freephone number, connected me to, I believe, an American operator, though it could have been anywhere in the world but was most certainly not in the UK.

After questioning the lady I was told that, in our case, the only information that has been accessed is our Names, Dates of Birth and Home Telephone Number. The operator then tried very hard to get us to sign up for the monitoring service for which we declined. The reason; If this firm who I do not use and have never heard of cannot look after minor details such as those shown above, then why should I trust them with anything more? It would also appear that Equifax have been exempted from any legal prosecution in America by the governmental authorities for their failure to protect our information, so why would they bother to change their ways!

In my opinion the whole thing has been abysmally handled. Today was the first I have heard of the breach, six months after the event. Some might say that perhaps I should be more proactive. However, I believe the responsibility of informing those affected in a timely manner, is that of Equifax.

To get further reassurance I will follow up my question of what information of ours has been compromised by writing to the UK Customer Relations Team in Leicestershire.

If the “Which” team are able to give me any other advice I would be most grateful.

Norman Minty.

Hello Norman, thanks for sharing this with us. Our understanding is that you should have been offered a free credit monitoring from other providers, not just Equifax. It’s understandable that some won’t want to go with Equifax, which is why they should be able to take up an alternative service. It’s a very confusing situation as many people who’ve never had direct dealings with Equifax before will be getting these letters.

Four groups of affected UK customers have been identified:
37,000 whose phone numbers were stolen
29,000 whose driving licence numbers were stolen
15,000 who had some of their Equifax membership details, such as usernames and passwords, stolen
and 12,000 whose email address was stolen

We’d certainly be interested to hear more from you on this.

Melanie Hersey says:
23 November 2017

I received a letter yesterday stating my name, date of birth and landline had hacked. This explains why my previously quiet landline, registered with TPS, was inundated by cold callers from May – sometimes 20 a day! These calls were about benefits, grants for boilers etc and came through on multiple numbers. It was clear these calls, although they had my name, were spammy. I purchased a call blocker in June (such a pleasure hitting the big red button, and GONE) and now, nearly 6 months later I’m down to a couple (number unavailable) a week.
I have no idea if I should take up the Equifax offer. I prefer NOT to give a company, who appears to have lax security, any more of my personal details. There is no information as to the perceived risk of what these hackers could do with my information now. Have I done enough by blocking the hackers calls? Could Equifax reimburse me for the cost of the call blocker? I guess I know the answer to that…

Melanie-Your comment on the “big red button”signifies you are using the same call-blocker as I have been using for two+years . The “unavailable” will probably be a VOiP call . To block them= get dial tone, preferably on speaker> and key in>**7 hatch 6*hatch. You will hear a bleep after every success. I have found a “trick” method of blocking those long numbers that get through . Its not part of the programming proper but it works . There are two other big US companies that probably hold your data too but have not been hacked. For those that don’t know the credit agencies method of operation is that data is distributed among them, for obvious reasons.

I had read about the breach as soon as Equifax had publicallly admitted it, though never thought about it affecting people in the UK, and defined not myself until I received my letter yesterday. Same as some other comments, very wary of giving more personal information to the same people who were breached previously,took 4 months to admit it,and a further 2 to tell people in the UK
They should institute an option where you contact Cifas (the unrelated protection service) directly. They can still pick up the tab as offered,but at least you don’t need to give Equifax anymore of your own personal details to enable it.
Letter was badly worded as should have explained straight away who they were,and how it affected the majority who have never dealt with them directly- rather than adding part of this as a sort of footnote

Eddie says:
28 November 2017

I received a letter today and my reaction was similar to others in the conversation. The call center handling the freephone number was hopeless and in the end simply referred me to the website. The alternative credit report providers listed on the information sheet are not providing the same level of monitoring as the Equifax Protect without payment. Like others I am very reluctant to provide Equifax with further information. I would like to know which organisations checked me out with Equifax
For the past year I have stopped answering my landline unless the number is a family member due to the number of scam calls.

This isn’t going to go away anytime soon and its all down to globalisation+ TWO different legal systems where the UK comes out the loser . it has already been agreed upon that to make globalisation work an interchange of “customers ” data must be provided GLOBALLY . Our gracious government made the “behind the scenes ” decision to supply ALL our data to US servers over a year ago -Big Data USA meaning legally your data is in USA hands . This includes the THREE big US data credit agencies. Data security ( opinioned by professional security companies ) in Equifax,s case was termed “lax ” As the data is held in the USA their laws apply ONLY to US citizens who -YES ! are being treated a lot better than UK citizens . Quote from a very well known US media group – we have three private companies that TRADE in, and PROFIT from vast amounts of highly sensitive data /information about American consumers– attorney at the National Consumer law Centre . They have a presence in more than 20 countries globally -Equifax also operates in the UK +Canada -You want the truth ?? -many of those countries do NOT require private credit reporting companies to get CONSENT from individuals to use and process their personal data it will only be in MAy -2018 that the EU will enforce laws -ie- the General Data Protection Regulation that requires the companies to notify respective governments within 72 hours and us ?? take in Brexit add in US/UK Trade Agreement and what have you got ?? I bet no change to new EU regulations . But its the personal treatment difference between both countries that gets me , its a world of a difference – UK -third world country / satrap of the USA . US citizens get respect and much better treatment – globalisation ?? keep it !

John Taggart says:
29 November 2017

The actions provided in the letter could lead to a very false sense that you have protected yourself. This is not the case. In fact it actually opens up a further security risk with at least one of the other Big 3 credit reference agencies. Using the data gleaned from the original data breach the criminals can actually go onto the Experian website and use your data to request a PIN number. This can then be used to unfreeze your credit score – one of the ways suggested to protect yourself by Equifax – “It appears that hackers, armed with newly exposed sensitive data on all of us thanks to Equifax, could use said information to unfreeze credit through Experian’s website since the challenges for personal verification were all essentially in Equifax’s data pool as well.” You can actually test this yourself even if you haven’t got an existing relationship with Experian. It is a data exposure nightmare. Even if that was not the case you are still lying wide open to other fairly easy to commit frauds even with the minimum data – Name, D.O.B., Tel Number.
I just got my letter yesterday. The ICO and the FCA offered no information whatsoever. When I flagged this secondary risk to the UK Police Cyber Crime Team they weren’t interested as no crime had been committed against me personally as yet – ID theft isn’t actually a crime until action is taken with the ID. I would have thought they would have wanted the info to perhaps alert vulnerable people that might think the actions outlined in the letter would protect them, rather than put them at further risk.
Currently no Govt agency is providing advice or guidance to the victims of a serious data breach months on from the event occurring. Many of the victims are still oblivious to the fact that their finances are at serious risk – May 17 until Nov 17 for them to inform me. The ICO are still “asking” Equifax to inform victims as soon as they can???
There are bigger questions that should be asked of this prime example of data recklessness. Almost all of the victims had no direct relationship with Equifax. If we had been told that data was going to be taken out of the jurisdiction of the ICO and over to the USA by our banks, utility companies, etc would we have agreed to our data being managed so shambolically? Banks, utility companies should also be subject to legal action for not ensuring that UK citizen’s data was properly safeguarded within the jurisdiction of the UK. According to the ICO as the data was being held in the USA and that the Data Controller for Equifax is in the USA then they have no case to answer. This is the department we depend on to protect us from misuse of our personal information. All we have from them is a legal defence prepared on behalf of Equifax and zero information that would protect us post-data abuse. So far we have a statement on their website from an unidentified “ICO spokesperson” that tells us they are monitoring the situation.
ID thefts are now being acted on and frauds happening on the back of the data breach according to the class action law suits already taking place in the USA. Here in the UK our politicians are making up excuses for the businesses that caused this mess.

John Taggart says:
30 November 2017

We have only part of the 700,000 acknowledged victims informed. Equifax have as good as admitted that over 15M UK citizens have had their personal data accessed and stolen – but have been allowed to decide not to tell UK citizens by the UK Govt.

Quite bizarre that the UK Govt should leave all communication to the victims in the hands of the company responsible. No UK agency is offering advice or guidance to the victims. The ICO are saying that they cannot provide advice and guidance to the public as the are still currently only able to monitor the situation.

The UK Police Cyber Crime team can only offer guidance and support where a crime has been committed. So they are offering no advice or guidance to the victims.

FCA are taking a similar stance to the ICO – not their remit.

So I contacted Matt Hancock’s Parliamentary Office. The Minister responsible for this – office didn’t know which agency would be tasked with supporting the victims. They are going to ask the Dept of Culture Media and Sport (a non-public facing Govt Dept) to see if they know.

Almost a third of the UK’s adult populations personal data has been hacked and is now in the hands of criminals. Why are the victims not being informed and why is there not a Govt Agency providing detailed support and information to the victims?

Thanks for backing up what I have been saying for a long time that OUR data is in American hands John . Some did not believe me , thought I was lying but its a fact that the UK government has given our sensitive info to the USA in a hush-hush and quietly/quickly implemented parliamentary approved legislation to go forward with Globalisation . Their next step is providing ALL our medical data to the USA , they already had trials that leaked the info , so your embarrassing illnesses will be in third party business hands in the USA before long . Don’t believe the -its safe in our hands — no chance .

John Taggart says:
1 December 2017

Duncan, the horse has already bolted on health data – long gone.

Every UK enterprise company that deals with UK citizens data actually get advice and guidance from the UK Government on how to ship our data out of UK legislation. So long as they pop it into the small print of their privacy notice they can send it out of UK jurisdiction for “processing”. They also utilise sub-contractors to trade in personal data. By creating a lengthy supply chain they negate the chances of anyone actually bottoming out the originating data thief. The UK’s largest charities are among the worst offenders. The ICO had a member of their Executive Team that happened to be the founder of Fundraisers sub-contractors. He attended Fundraisers events and told them that no charity / fundraising sub-contractor would ever be pursued with financial penalties by the ICO. They would instead receive guidance and advice on how to avoid issues in the future. So long as they can demonstrate they are working towards becoming compliant with UK legislation they could carry on. We are now seeing ICO spokespersons touring the country speaking at business events and public sector events telling everyone the same will be the case when GDPR – no one needs to comply with GDPR, they just need to be seen to be working towards it.
The ICO and UK Government are complicit in the non-existence of an effective data strategy to protect UK citizens’ personal data. The current and future legislation is not fit for purpose. We currently have just under a third of the adult population of the UK’s personal data in the hands of criminals. Neither the ICO or the FCA or the Police Cyber Crime Team have provided fir for purpose information to the victims. The vast majority of the victims do not even know they are currently at risk. Those that have been informed have ben given poor advice by a company that caused the problem in the first place and are now being told by the UK Govt, Bank fraud departments to provide even more personal data to Equifax who have had multiple data breaches this year alone and still cannot advise us on where the existing personal data they have is actually being stored.
Matt Hancock should resign, Nicky Morgan should resign. The ICO should be shut down as it is just delivers no useful service to the UK public – a complete waste of taxpayers money.
We need to be able to use class actions to deal with situations like this. Already there are multi-billion dollar class actions taking place in relation to this in the USA. Here in the UK we have out Govt and taxpayer funded departments running defence for Equifax and their like to misuse UK citizens’ personal data without penalty and without sufficient protective and enforceable legislation to make them put in place proper safeguards for our data.
ICO claim they can do nothing about Equifax:
– they cannot tell them to inform the 15M + victims.
– their hands are tied because the data was held in the USA and the data controller is based in the USA.
– they cannot discuss specifics are they are bound not to by article 59 of the DPA
The Information Commissioner should be on the 6 o’clock news tonight telling the nation that over a third of the adult population of the UK’s personal data is now in the hands of criminal as a result of a single data breach in the USA. They should tell the nation that they don’t know who the victims are because they cannot legally compel Equifax to identify the victims. They should advise that they cannot guarantee the safety of any data held by Equifax and that they cannot recommend the advice given in the letter from Equifax as being a safe way forward for UK Citizens. They should advise that registering with CIFAS is not an elixir to stopping the stolen personal data from being used for criminal purposes. The implications of this data theft are far more serious than getting an increase in nuisance calls. The data can be used to access bank accounts, make false tax return claims, apply for benefits, passports for terrorists, etc, etc, etc.
Why is this not front page news – simple, this is a huge embarrassment for the Govt, the ICO, the FCA, the finance industry, the utilities industry and any enterprises that offer credit facilities, rental agreements. An absolutely shocking cover up.

Thanks John for filling in the gap’s in my information , we seem to think alike on things like this , I hate injustice especially when its directed against the ordinary British public. over a year ago lasdt August is when I was informed of the official transmission of our data to US servers by Parliamentary legislation to help “elucidate ” the implementation of UK globalisation .AS you rightly say the public don’t really realise how much of our data is held in the USA and I hear about the same data being hacked there even the FBI had some employees selling it . Americans are the ultimate business people , if they think there is a “fast buck ” in it they are on to it like a shot .The only people with privacy are the extremely wealthy and as you say , many of their “indiscretions ” are covered up by a type of “Old Boys network ” . If you check into how the Kennedy,s died they were exposing what went on behind the scenes that wasn’t “allowed ” to happen. The Mafia went “legit” but its methods are far from that in the business world and many copy them. I dont see anything changing unless there is a sea change in government thinking and going by the fixed view points this country is in for even harder times. I keep hoping to hear good news from my sources but it hardly ever happens. Things are done with stealth now and fake news .

Thank you to Which? (especially Faye Lipson and Karen White) for taking up this important issue.

I received my official notification from Equifax that my “personal data has been accessed” (their words), and that I must “take immediate action to protect myself” (their words), posted on 18th November 2017.

The notification continues “The hacker has had access to (my) data since May 2017 when the attack occurred”.

There is something very interesting about those dates.

I am a customer of Equifax, and on 5th May 2017 Equifax sent me an automated alert that my Credit Report had changed.

On 5th May 2017 I contacted Equifax to report that their alert had uncovered something going on with my account which was very suspicious. I pointed out the irregularities with my account and asked:

“Do you, perhaps, know anything about this please? I simply do not know how to follow this up.”

On the 8th May 2017 Equifax responded:

“Dear Keith

Thank you for getting in touch.

We acknowledge your concern, recently we’ve had some problems with our online systems, specifically to do with alerts. I notice that you’ve been affected by these problems from looking at your query. Rest assured, we’re looking into this issue at the moment and hope to fix it as soon as we can. We’re sorry for any confusion caused by this.

Kind regards

Equifax Customer Services”

Coincidence? Or the earliest evidence of the hack?

Faye asks: We want to know what you think of how Equifax handled the data breach. Do you think it’s acted promptly and adequately to protect customers? (1) If you’ve received one of its letters, did you understand it, and did you take up its offer of free protection? If not, why not? (2)

(1) The earliest reports in the media that Equifax had been hacked are dated 7th September 2017 in the New York Times. There was no mention of UK exposure. The earliest report that UK records may have been stolen was dated 11th September 2017, in the technical press (The Register). It is headlined ” 44m UK consumers on Equifax’s books. How many pwned? Blighty eagerly awaits spex on the breach Speculation mounts as Equifax stays mum”

This was followed up with more speculation from The Guardian on 16th September 2017.

It was not until The Register published on 12th October 2017 an article headlined “UK Treasury Committee chairman calls on Equifax to answer for breach omnishambles ‘People have been left in the dark for too long’ ” where the UK was officially informed by Equifax (on 10th October 2017) that “Equifax said it had underestimated the effect the breach would have on UK accounts, as previously reported.

It now estimates a file containing 15.2 million UK records dating from between 2011 and 2016 was compromised. Most of the contents were duplicates or test data so in real terms the private details of almost 700,000 people has been exposed. Equifax has promised to contact affected Brit consumers by post. The breach began in May 2017 and persisted until it was discovered in July. Equifax has had weeks to get a grip on its incident response but has messed up at every turn.”

Compare all those dates with my report to Equifax on suspicious, inexplicable activity on my account, dated 5th May 2017, and their admission dated 8th May 2017.

I say to Which? that I categorically do NOT think Equifax had acted promptly, regardless of whether my report on suspicious activity was connected or not. Shouldn’t my early report now be properly investigated?

The UK has been officially left behind. What are the Financial and Parliamentary authorities proposing to do about this situation?

(2) I did receive a letter, and I certainly did understand it. I have not yet taken up any of their offers of extra protection, but I intend to. What is worth considering is that I am the sole carer of my 95-year-old Mother-in-Law who suffers from dementia, and that this data beach is incredibly disruptive to me. I dare say lots of UK residents are similarly severely inconvenienced by this.

We have a right to expect our financial data to be secure.

But now we have the thought that at any time in the future this data may be used against us, when we have all forgotten about the extra vigilence required!

I ask Which? to kindly consider under what circumstances should UK residents’ financial data be exported beyond the UK’s jurisdiction? (The data breach was a hack on the Apache server used by the USA arm of Equifax. The USA arm of Equifax had neglected to maintain its security updates! Why were there unprotected UK records on the USA data server?)

There are class-actions taking place in the USA (Republican politicians are trying to limit Equifax’s financial liabilities). What legal action can there be to compensate UK residents?

Once again, Thank you, Which?

Mars – the EU is bringing out a new law next year that shortens the time those type of companies + others can hide the truth it will be cut down to 7 weeks BUT we have Brexit –don’t we ? Its long gone any chance of changing the new legislation – ALL our data is exported to the USA and has been for some time . HMG are never going to change that as that’s what big business+ America wants . My sympathies are with you though. American n law in this situation is superior to ours with several caveat’s already in place.

Patrick Taylor says:
3 December 2017

Excellent stuff from Mars and from John Taggart. Perhaps Which? can advise on any financial penalties that may apply – personal – and group.

Update: I have reported the Equifax breach of my personal data as a crime to Action Fraud (on 30th November, 2017), and received a National Crime Reference Number. I suggest other victims also so do: numbers might make a difference?

Good man Mars ! I am going to be very interested in the outcome as it will prove once and for all (to me ) if all those NGO,s /government departments really will take action on behalf of their own citizens . Sorry I wont be “holding my breath ” as I have heard all the excuses from their+US Government Department representatives as ,in their view , there is a “bigger picture” of the Banks -Big Bank- USA and other “vital ” cogs of commercial industry , but BEST of luck ! .

John Taggart says:
4 December 2017

Well done Mars. The Action Fraud Team refused to consider my data breach notification as being a crime. They also refused to acknowledge my concerns about how the data could be used to access Experian’s credit rating freeze system by using the data to get access to the security PIN.

There seems to be a reluctance on the part of Govt agencies to record complaints regarding this – are they trying to disguise the impact for political reason. Can’t believe that this is not headline news!!

John Taggart says:
4 December 2017

Well done again Mars. I got the CRN this time by phoning. I had to push to get it recorded. Only the ICO have failed to register the issue despite multiple escalations.

John Taggart says:
6 December 2017

Spoke with the ICO again yesterday. Further confirmation that the data was indeed held in the USA. Equifax themselves claim that the data was always held in the USA. With the Data Controller for Equifax alos in the USA Equifax are not in the jurisdiction of the UK. Essentially, UK Citizens have been left completely exposed to ID theft and fraud and have no recourse. In the USA there are already multiple class action law suits. Here in the UK we do not have that option. We completely depend on Govt agencies to protect our data and police those that mishandle our data.
I am sure many of the 15 million UK citizens will have been through the process of setting up a Government Gateway account. It is a convoluted process. What use is all that security when once they have your personal data they can ship it out of the jurisdiction of the UK so that UK citizens data. The ICO’s position is that it is not down to them to stop Government, banks, utility companies from entering into agreements that put UK Citizens data out of UK protection (questionable that there is any level of protection in any case).
We have a third of adult UK Citizens data stolen and in the hands of criminals. The ICO are powerless to even assess how protected UK Citizens data is at Equifax even now. They cannot tell us what has been done to protect the data at Equifax from further breaches – none of the UK agencies involved can tell us that. They cannot een tell us which country that data is now stored in. They have no powers to investigate this as the data was always held in the UK.
The advice being provided by the ICO is that we should contact Equifaz directly as the ICO has no powers and can only “monitor” the situation aka – they are doing nothing. The National Cyber Security Centre part of GCHQ along with the FCA are advising victims to take the services offered in the letter. The NCSC and the FCA should be aware that in doing so UK Citizens will in fact be handing over even more data that will be held outwith their own jurisdiction. They are effectively recommending that we store out personal data with a company that has suffered multiple data breaches this year alone in different departments / data sources.
Why are the ICO not looking into the agreements between the primary data controllers of UK Govt, UK Banks, UK Utilities, etc and Equifax? The answer again is quite simple. They actually advise these businesses on how to set up these agreements so that they do not breach UK legislation. The majority of UK enterprises utilise standard privacy agreements with customers that allow them to “process” UK citizens’ data out of the jurisdiction of UK legislation.
The ICO have pretty much silent on this matter. I challenged them on why they have not informed the UK public regarding a third of the adult population of the UKs data being stolen. Their response is that they put a statement on their website. The statement doesn’t provide any information and does not even name the spokesperson. I asked why they are not providing information to victims when they call. They confirm that the line they have been given by the ICO is that they cannot discuss the matter as there is an ongoing investigation.
Matt Hancock’s office did not know about the breach. He is the Minister responsible for the ICO. At least Nicky Mogan and the Treasury Select Committee are at least active on Equifax. Why are the ICO saying nothing / hiding from a data breach that has implications for so many UK Citizens. I think the conclusion is pretty obvious. They are being shown up as a department that is not fit for purpose. GDPR will not change that. The UK needs a proper data protection strategy backed by a competent agency. The ICO need to go!

Hallelujah John you have put more eloquently what I have been banging on about in various convo,s for years . Your absolutely RIGHT its in USA legal law control in THEIR servers which I know for a fact cover US citizens but not “FOREIGNERS ” ; like us . IT seems to fail completely in many peoples eyes that this is a fact and that our data )all of it ) gets “shipped ” over to the USA . Even US tech websites and legal websites in the USA comment on this but will the people here wake up to reality ?? I guess not . I remember being informed by US websites of the fact that the UK government rushed it through parliament and introduced it over a year last August . Thank god for US honesty , collusion kept it from the media in this country- we are third class citizen’s as far as globalisation is concerned . Thanks for affirming this , I hope people believe me now. Read US law pertaining to foreign held data .

Catherine Schade says:
7 December 2017

Just back from holiday and Equifax letter had arrived in my absence. It’s worrying and I’m not sure what to do, if anything. I certainly don’t wish to take up Equifax’s “kind offer” to safeguard my personal details, given they leaked them in the first place!
I guess I just have to be vigilent about checking bank statements, credit card bills and so on.

I have been checking the qualifications of the UK Information Commissioner, Elizabeth Denham, to see if she has the necessary skills to understand *anything* about cyber security. Apparently, the ‘powers that be’ have appointed someone with a History degree from the University of British Columbia.

Her predecessor, Christopher Graham, also had a degree in History but from Liverpool University.

His predecessor, Richard Thomas, ‘studied law at Southampton University’ (perhaps unsuccessfully, since Wikipedia only claims an ‘honorary Doctorate’ awarded later?)

And his predecessor, Elizabeth France, ‘read politics at Aberystwyth’…

It is no wonder that we have no enforceable statutory control over digital records, since all we have had to protect us are a bunch of useless technophobes with no personal knowledge of how computers work.

Why, for example, was it LEGAL for UK-Registered Credit Reference Agencies to hold and transmit personal data about the entire adult population of this country in an unencrypted form?

Why are UK-Registered Credit Reference Agencies allowed to keep their licences even when they are NOT updating their servers with the latest security patches?

Why are UK-Registered Credit Reference Agencies allowed to transmit sensitive personal information about UK citizens beyond the jurisdiction of the UK, where such data may be abused and where OUR data laws do not then apply?

Why are UK-Registered Credit Reference Agencies allowed to maintain insecure data servers abroad?

Why is the cyber security of financial organisations NOT being effectively monitored in the UK?

Why is the ICO asleep on the job? Not properly qualified to do the job, perhaps?

Are you reading this, Which?, because you may be our only hope!

Many leaders of institutions and commercial operations are not qualified in the detail of the work; that is what their staff are employed to do. They then advise those “in charge” to enable them to make a decision. Should the boss of an airline be a qualified pilot? Should the manager of a hospital be a doctor or surgeon? Personally, I think that people in charge of something should know a reasonable amount about the “nuts and bolts” but I am not sure I’m right.

The superiority of the ‘generalist’ has been a significant feature of the UK Civil Service for around 150 years. History degrees have usually been favoured over any others because they are regarded as a mark of all round intellectual capacity. I am sure within the Information Commissioner’s office there will be many experts on data security and computers as that is its purpose. They will also have people with specialist knowledge of credit reference agencies, mailing houses, call centres, personal information databases, commercial operations, and related functions. The chief talents required at the top are leadership skills, authority, diplomacy, operating effectively within the governmental and political environment, and a reliable record of performance at or near the top of a multifunctional organisation. Three out of five would be good.

Your right malcolm and its what I have been banging on about for a long time .Some decades ago that decision was made in big business +government where technical knowledge was not needed as long as you were of reasonable intelligence and could boss others . It spawned NGO,s and buffer organisations to protect government and big business from direct accusation where the public were deflected from their straight purpose to an administrative maze where buck passing was the norm. about. Its going to get worse as less and less real information is allowed in the UK by blocking access via the internet and controlling the news media who only put out government approved news .

I don’t think the Paradise Papers story was government-approved news, Duncan. Most news media gave it good coverage. The Prime Minister’s humiliation(s) in Brussels have also been well reported.

They didn’t have much choice John , they couldn’t deny it.

I think there’s a lot to be said for having folk work their way up within any given organization.

If they do that, it won’t really matter whether or not they start out with an academic degree, never mind what subject it might be in.

Most things today are decided by a computer Has a computer ever done any job that it makes decisions about ? It only knows what has been put on to it by a programmer who knows nothing about the job either having never worked in any industry just been taught at university by someone who has not even done the work either A programmer who has spent time doing the same thing learns much about what they are doing by learning from their mistakes as long as the feedback gets back to them Using computers for everything always seems to lead to errors that have to be corrected later Computers do not have any common sense to use either which is usually needed to get everything correct

Given the job via the “old boy” network maybe ??

Computers do make decisions, now; they decide on the basis of the prevailing conditions, but they’re not yet as fully adaptive as humans. What you’re asking for, Bishbut, is fully cognisant AI. We’re still a bit away from that yet..

“programmers” ?? – these days, the IT industry has moved on, so that most large and complex applications are created by “software engineers”.

Whatever the name, these folk don’t work in ivory towers, they often spend a lot of their time embedded in the industries that they support.