One week after publicly revealing that a data breach had exposed the personal information and social security numbers of up to 143 million American consumers, the credit reporting agency has revealed more details of just how many people are affected in the UK.
Although Equifax’s UK systems are said not to have fallen victim to the hackers (its systems and platforms are said to be entirely separate from those which impacted the agency’s US operations), that doesn’t mean that UK consumers are unaffected.
A statement posted on Equifax’s UK website (which previously has made no mention of the hack which was first discovered by the company in July) confirmed that around 400,000 UK citizens have been affected by the data breach.
Equifax describes how its investigation into the data breach has uncovered that hackers managed to access “limited personal information for certain UK consumers”:
“Regrettably the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016. The information was restricted to: Name, date of birth, email address and a telephone number and Equifax can confirm that the data does not include any residential address information, password information or financial data.”
It’s important to note, I think, that we’re not talking about UK customers of Equifax but UK consumers.
Most Brits have little reason to have heard of Equifax, let alone done direct business with them. However, many companies do make use of Equifax’s credit-checking services to determine if consumers should be approved for a loan or allowed to open an account with them.
At least UK consumers don’t have to worry that their social security numbers are now in the hands of hackers (which is apparently the case for potentially half the population of the United States) following the breach. UK citizens don’t have social security numbers.
But that doesn’t mean that Brits have nothing to worry about. As the UK Government’s National Cyber Security Centre (NCSC) points out, the primary risk is probably that scammers might abuse the stolen email details to craft convincing phishing emails:
Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as:
‘To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number’.
In typical phishing campaigns the email will contain your real name. However, because the hackers who stole personal information from Equifax’s systems they can craft more convincing-looking messages which are more likely to trick unwary recipients into responding, clicking on links, or opening malicious attachments.
And, of course, the emails may not claim to come from Equifax – but instead could be disguised as messages from a wide array of businesses and brands.
Furthermore, as telephone numbers were also grabbed by Equifax’s hackers there is the potential for scammers to target unsuspecting consumers with scam phone calls. If you receive a suspicious call, don’t share any details, hang up, and contact the organisation that the caller claimed to be from, making sure to not use contact details your suspicious caller provided.
The advice remains the same, wherever you are in the world, be wary of suspicious communications (whether by phone or email) that ask you to confirm your security information or request your banking details, and think twice about clicking on links and email attachments.
written by Graham Cluley, ESET We Live Security