Under-fire credit agency Equifax has been forced once again to revise upwards the number of customers affected by a major data breach: this time claiming nearly 700,000 UK consumers had personal data stolen.
The firm initially claimed that around 400,000 UK customers were hit in a breach that last week it said affected 145.5 million consumers, 2.5 million more than first thought.
However, after a forensics investigation by Mandiant, Equifax said it would be writing to 693,665 UK consumers.
It added:
“Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields.”
In the UK, there are four primary groups affected.
Some 12,086 consumers had an email address associated with their account in 2014 stolen, 14,961 consumers had membership details including username, password, secret questions and answers and partial credit card details from 2014 exposed, 29,188 had driving license numbers compromised and 637,430 had phone numbers accessed.
The firm is offering its Equifax Protect identity protection service for free to the first three groups and “a leading identity monitoring service” to the fourth.
The UK government’s National Cyber Security Centre has issued advice for consumers affected by the breach, warning them to manage passwords carefully across other services and to be on the lookout for highly convincing phishing and vishing attempts using the stolen data, including real names, dates of birth and phone numbers.
It said:
“Usually, if you are the target of a phishing message, your real name will not be used. However, in this case, if fraudsters have your name, people will need to be extra vigilant around any message that purports to be from an organization they deal with – especially when there are attachments or links which take people to sites asking for more personal information.”