Have you received a ‘data breach’ letter from Equifax?  

And what cash reimbursement to those affected by the breach. I am talking about the consequent stress from reading the Equifax letter and becoming even more paranoid about the inadequacies of a sstem ran by Equifax and others.

£50 per person perhaps for now? And of course any serious attack may need further reimbursement for the individuals suffering.

I received letter yesterday dated 6/11/17. Said recent cyberattack against Equifax in US then lower down the page said it happened in May! Explains all the international and nuisance calls have been getting. Couldn’t believe they had listed free available services to protect me. What a joke!! They haven’t even contacted everyone who’said data has been accessed either. It’s appalling.

Has anyone got access to definitive advice as to whether one should accept the offer of “Free Services” from Equifax?

Some observers say yes, some say it might make things worse!

Hardly a re-assuring situation!

My wife and I both received one of these letters today 23/11/2017. Without doubt it caused alarm to both of us especially as we have never heard of Equifax.

Having received the letter my scam antennae went up immediately and I started to research Equifax and the data breach. This I did via the BBC site and the Which website. As advised, I then searched for the customer relations service of Equifax, which although a UK Freephone number, connected me to, I believe, an American operator, though it could have been anywhere in the world but was most certainly not in the UK.

After questioning the lady I was told that, in our case, the only information that has been accessed is our Names, Dates of Birth and Home Telephone Number. The operator then tried very hard to get us to sign up for the monitoring service for which we declined. The reason; If this firm who I do not use and have never heard of cannot look after minor details such as those shown above, then why should I trust them with anything more? It would also appear that Equifax have been exempted from any legal prosecution in America by the governmental authorities for their failure to protect our information, so why would they bother to change their ways!

In my opinion the whole thing has been abysmally handled. Today was the first I have heard of the breach, six months after the event. Some might say that perhaps I should be more proactive. However, I believe the responsibility of informing those affected in a timely manner, is that of Equifax.

To get further reassurance I will follow up my question of what information of ours has been compromised by writing to the UK Customer Relations Team in Leicestershire.

If the “Which” team are able to give me any other advice I would be most grateful.

Norman Minty.

I received a letter yesterday stating my name, date of birth and landline had hacked. This explains why my previously quiet landline, registered with TPS, was inundated by cold callers from May – sometimes 20 a day! These calls were about benefits, grants for boilers etc and came through on multiple numbers. It was clear these calls, although they had my name, were spammy. I purchased a call blocker in June (such a pleasure hitting the big red button, and GONE) and now, nearly 6 months later I’m down to a couple (number unavailable) a week.
I have no idea if I should take up the Equifax offer. I prefer NOT to give a company, who appears to have lax security, any more of my personal details. There is no information as to the perceived risk of what these hackers could do with my information now. Have I done enough by blocking the hackers calls? Could Equifax reimburse me for the cost of the call blocker? I guess I know the answer to that…

We have only part of the 700,000 acknowledged victims informed. Equifax have as good as admitted that over 15M UK citizens have had their personal data accessed and stolen – but have been allowed to decide not to tell UK citizens by the UK Govt.

Quite bizarre that the UK Govt should leave all communication to the victims in the hands of the company responsible. No UK agency is offering advice or guidance to the victims. The ICO are saying that they cannot provide advice and guidance to the public as the are still currently only able to monitor the situation.

The UK Police Cyber Crime team can only offer guidance and support where a crime has been committed. So they are offering no advice or guidance to the victims.

FCA are taking a similar stance to the ICO – not their remit.

So I contacted Matt Hancock’s Parliamentary Office. The Minister responsible for this – office didn’t know which agency would be tasked with supporting the victims. They are going to ask the Dept of Culture Media and Sport (a non-public facing Govt Dept) to see if they know.

Almost a third of the UK’s adult populations personal data has been hacked and is now in the hands of criminals. Why are the victims not being informed and why is there not a Govt Agency providing detailed support and information to the victims?

Thank you to Which? (especially Faye Lipson and Karen White) for taking up this important issue.

I received my official notification from Equifax that my “personal data has been accessed” (their words), and that I must “take immediate action to protect myself” (their words), posted on 18th November 2017.

The notification continues “The hacker has had access to (my) data since May 2017 when the attack occurred”.

There is something very interesting about those dates.

I am a customer of Equifax, and on 5th May 2017 Equifax sent me an automated alert that my Credit Report had changed.

On 5th May 2017 I contacted Equifax to report that their alert had uncovered something going on with my account which was very suspicious. I pointed out the irregularities with my account and asked:

“Do you, perhaps, know anything about this please? I simply do not know how to follow this up.”

On the 8th May 2017 Equifax responded:

“Dear Keith

Thank you for getting in touch.

We acknowledge your concern, recently we’ve had some problems with our online systems, specifically to do with alerts. I notice that you’ve been affected by these problems from looking at your query. Rest assured, we’re looking into this issue at the moment and hope to fix it as soon as we can. We’re sorry for any confusion caused by this.

Kind regards

Equifax Customer Services”

Coincidence? Or the earliest evidence of the hack?

Faye asks: We want to know what you think of how Equifax handled the data breach. Do you think it’s acted promptly and adequately to protect customers? (1) If you’ve received one of its letters, did you understand it, and did you take up its offer of free protection? If not, why not? (2)

(1) The earliest reports in the media that Equifax had been hacked are dated 7th September 2017 in the New York Times. There was no mention of UK exposure. The earliest report that UK records may have been stolen was dated 11th September 2017, in the technical press (The Register). It is headlined ” 44m UK consumers on Equifax’s books. How many pwned? Blighty eagerly awaits spex on the breach Speculation mounts as Equifax stays mum”

This was followed up with more speculation from The Guardian on 16th September 2017.

It was not until The Register published on 12th October 2017 an article headlined “UK Treasury Committee chairman calls on Equifax to answer for breach omnishambles ‘People have been left in the dark for too long’ ” where the UK was officially informed by Equifax (on 10th October 2017) that “Equifax said it had underestimated the effect the breach would have on UK accounts, as previously reported.

It now estimates a file containing 15.2 million UK records dating from between 2011 and 2016 was compromised. Most of the contents were duplicates or test data so in real terms the private details of almost 700,000 people has been exposed. Equifax has promised to contact affected Brit consumers by post. The breach began in May 2017 and persisted until it was discovered in July. Equifax has had weeks to get a grip on its incident response but has messed up at every turn.”

Compare all those dates with my report to Equifax on suspicious, inexplicable activity on my account, dated 5th May 2017, and their admission dated 8th May 2017.

I say to Which? that I categorically do NOT think Equifax had acted promptly, regardless of whether my report on suspicious activity was connected or not. Shouldn’t my early report now be properly investigated?

The UK has been officially left behind. What are the Financial and Parliamentary authorities proposing to do about this situation?

(2) I did receive a letter, and I certainly did understand it. I have not yet taken up any of their offers of extra protection, but I intend to. What is worth considering is that I am the sole carer of my 95-year-old Mother-in-Law who suffers from dementia, and that this data beach is incredibly disruptive to me. I dare say lots of UK residents are similarly severely inconvenienced by this.

We have a right to expect our financial data to be secure.

But now we have the thought that at any time in the future this data may be used against us, when we have all forgotten about the extra vigilence required!

I ask Which? to kindly consider under what circumstances should UK residents’ financial data be exported beyond the UK’s jurisdiction? (The data breach was a hack on the Apache server used by the USA arm of Equifax. The USA arm of Equifax had neglected to maintain its security updates! Why were there unprotected UK records on the USA data server?)

There are class-actions taking place in the USA (Republican politicians are trying to limit Equifax’s financial liabilities). What legal action can there be to compensate UK residents?

Once again, Thank you, Which?

Update: I have reported the Equifax breach of my personal data as a crime to Action Fraud (on 30th November, 2017), and received a National Crime Reference Number. I suggest other victims also so do: numbers might make a difference?

Spoke with the ICO again yesterday. Further confirmation that the data was indeed held in the USA. Equifax themselves claim that the data was always held in the USA. With the Data Controller for Equifax alos in the USA Equifax are not in the jurisdiction of the UK. Essentially, UK Citizens have been left completely exposed to ID theft and fraud and have no recourse. In the USA there are already multiple class action law suits. Here in the UK we do not have that option. We completely depend on Govt agencies to protect our data and police those that mishandle our data.
I am sure many of the 15 million UK citizens will have been through the process of setting up a Government Gateway account. It is a convoluted process. What use is all that security when once they have your personal data they can ship it out of the jurisdiction of the UK so that UK citizens data. The ICO’s position is that it is not down to them to stop Government, banks, utility companies from entering into agreements that put UK Citizens data out of UK protection (questionable that there is any level of protection in any case).
We have a third of adult UK Citizens data stolen and in the hands of criminals. The ICO are powerless to even assess how protected UK Citizens data is at Equifax even now. They cannot tell us what has been done to protect the data at Equifax from further breaches – none of the UK agencies involved can tell us that. They cannot een tell us which country that data is now stored in. They have no powers to investigate this as the data was always held in the UK.
The advice being provided by the ICO is that we should contact Equifaz directly as the ICO has no powers and can only “monitor” the situation aka – they are doing nothing. The National Cyber Security Centre part of GCHQ along with the FCA are advising victims to take the services offered in the letter. The NCSC and the FCA should be aware that in doing so UK Citizens will in fact be handing over even more data that will be held outwith their own jurisdiction. They are effectively recommending that we store out personal data with a company that has suffered multiple data breaches this year alone in different departments / data sources.
Why are the ICO not looking into the agreements between the primary data controllers of UK Govt, UK Banks, UK Utilities, etc and Equifax? The answer again is quite simple. They actually advise these businesses on how to set up these agreements so that they do not breach UK legislation. The majority of UK enterprises utilise standard privacy agreements with customers that allow them to “process” UK citizens’ data out of the jurisdiction of UK legislation.
The ICO have pretty much silent on this matter. I challenged them on why they have not informed the UK public regarding a third of the adult population of the UKs data being stolen. Their response is that they put a statement on their website. The statement doesn’t provide any information and does not even name the spokesperson. I asked why they are not providing information to victims when they call. They confirm that the line they have been given by the ICO is that they cannot discuss the matter as there is an ongoing investigation.
Matt Hancock’s office did not know about the breach. He is the Minister responsible for the ICO. At least Nicky Mogan and the Treasury Select Committee are at least active on Equifax. Why are the ICO saying nothing / hiding from a data breach that has implications for so many UK Citizens. I think the conclusion is pretty obvious. They are being shown up as a department that is not fit for purpose. GDPR will not change that. The UK needs a proper data protection strategy backed by a competent agency. The ICO need to go!

I have been checking the qualifications of the UK Information Commissioner, Elizabeth Denham, to see if she has the necessary skills to understand *anything* about cyber security. Apparently, the ‘powers that be’ have appointed someone with a History degree from the University of British Columbia.

Her predecessor, Christopher Graham, also had a degree in History but from Liverpool University.

His predecessor, Richard Thomas, ‘studied law at Southampton University’ (perhaps unsuccessfully, since Wikipedia only claims an ‘honorary Doctorate’ awarded later?)

And his predecessor, Elizabeth France, ‘read politics at Aberystwyth’…

It is no wonder that we have no enforceable statutory control over digital records, since all we have had to protect us are a bunch of useless technophobes with no personal knowledge of how computers work.

Why, for example, was it LEGAL for UK-Registered Credit Reference Agencies to hold and transmit personal data about the entire adult population of this country in an unencrypted form?

Why are UK-Registered Credit Reference Agencies allowed to keep their licences even when they are NOT updating their servers with the latest security patches?

Why are UK-Registered Credit Reference Agencies allowed to transmit sensitive personal information about UK citizens beyond the jurisdiction of the UK, where such data may be abused and where OUR data laws do not then apply?

Why are UK-Registered Credit Reference Agencies allowed to maintain insecure data servers abroad?

Why is the cyber security of financial organisations NOT being effectively monitored in the UK?

Why is the ICO asleep on the job? Not properly qualified to do the job, perhaps?

Are you reading this, Which?, because you may be our only hope!