Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Increases Number of Britons Affected By Data Breach To 700,000 (telegraph.co.uk)

Posted by BeauHD on from the there's-more-where-that-came-from dept.

phalse phace writes: You know those 400,000 Britons that were exposed in Equifax's data breach? Well, it turns out the number is actually closer to 700,000. The Telegraph reports: "Equifax has just admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. The company originally estimated that the number of people affected in the UK was 'fewer than 400,000.' But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers."

58 comments

  1. Please let one of them be Queen Elizabeth by Anonymous Coward · · Score: 2, Funny

    Then we can be sure heads will roll, literally, in the Equifax C-suite.

    1. Re: Please let one of them be Queen Elizabeth by Anonymous Coward · · Score: 2, Funny

      I'm sure the Queen would be furious if someone knew her information. Why, they might try to take out a loan in her name, or steal her tax return, or cash known bad checks in her name.

    2. Re: Please let one of them be Queen Elizabeth by Monster_user · · Score: 1

      1st Question: When would anyone the Queen and her court conducts business with have need of a credit history?

      2nd Question: When would the queen have need to buy anything using credit?

      3rd Question: Who, when conducting business with the west, would deny the Queen what she requests? When that is a matter or purchasing a desired good or product or service?

    3. Re: Please let one of them be Queen Elizabeth by MightyMartian · · Score: 3, Funny

      And ended up with Donald Trump as president

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    4. Re: Please let one of them be Queen Elizabeth by rtb61 · · Score: 1

      If it was the NSA who conducted the breach, than they already have the Queens details, knowledge of tax evasions scams, corruption of democracy plots and the predilection of her family members for minors. When you are descended from homicidal maniacs who publicly tortured to death anyone who disagreed with them (also the rest of their family and even pets) and this without shame and embarrassment, in fact quite the opposite, celebrating the ancestors psychopathic douche baggery, you and your family are bound to generate a lot of information of great interests to be used to extort cooperation that will benefit the US regardless of the consequences for the UK. This of course extends out to the entirety of UK politics and the corruption of that democracy to favour US corporate interests. It has become clear, that the US is no ally of the UK and just uses them as gullible fools. I wonder how much spying the US will have to do, to find out the F35 Flying Pig will not be flooding UK skies like the US hoped (and that the rejection is very likely to spread), well, more like sit stranded at airports with out the crews or pilots to operate them or the cash to pay for them getting off the ground. Russia could most likely bankrupt the UK by repeatedly flying missions into international territory and have the UL intercept those flights at great expense. Rather than weekly or monthly, more like multiple random times every single day, Russia should likely work on creating a very very fuel efficient version of the Bear to burn Britain's play war budget. Interception cost huge amounts of money and the more the merrier, well as long as you are doing much cheaper than them, an order of magnitude cheaper ;D.

      --
      Chaos - everything, everywhere, everywhen
    5. Re: Please let one of them be Queen Elizabeth by mschwanke97402 · · Score: 2, Insightful

      Because Killary would have been so much better...

      Yes, Hillary would have been better without doubt.

    6. Re: Please let one of them be Queen Elizabeth by MightyMartian · · Score: 3, Insightful

      George W Bush sans two thirds of his brain would have been better. A lobotomized trout would have been better.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    7. Re: Please let one of them be Queen Elizabeth by Anonymous Coward · · Score: 0

      Trump, Trump, Trumpity Trump Trump TRUMP!!!!1!!

    8. Re: Please let one of them be Queen Elizabeth by Maritz · · Score: 4, Insightful

      Literally any fucking eligible human citizen would be better. Including Killary. Open a phone book and point. Better than Trump.

      You fell for Russian psyops, dopey cunt.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    9. Re: Please let one of them be Queen Elizabeth by Anonymous Coward · · Score: 1

      No sense crying in your beer because your president can't get anything done.

      There's a lesson for you in it all: when somebody submits a resume that clearly shows they are not qualified for the job, you don't fucking hire them.

      Of course Hillary would have been better. On top of her own political experience, she would have been backed by her husband's experience, who, if I recall correctly, carried a fucking booming economy during his two terms in office. But lemme guess, you're going to try to spin it to give the Republicans credit for that, aren't you?

    10. Re: Please let one of them be Queen Elizabeth by torkus · · Score: 1

      Because Killary would have been so much better...

      Yes, Hillary would have been better without doubt.

      Yup, you keep feeding off those 'unbiased' media reports there and preaching about freedom and rights while telling others their opinions are hate speech crimes that should be prosecuted.

      You don't have to be a fan of Trump to see the stupidity surrounding the rabid Hillary supporters.

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    11. Re: Please let one of them be Queen Elizabeth by sdinfoserv · · Score: 1

      The election of Humpty-Trumpy and the frenzied zombies who continue to follow him only demonstrate how broken the system is.
      Decades of GOP attack on critical thinking has succeeded. Attack scientists, attack news, attack (defund) education/npr and you can eliminate questions about trick-down economics, religion, climate change, fracking, scientific method and push though what ever pseudo-crap you want to ensure the oligarchy continue to pillage people and the environment for profit at will with an ever accelerating rate.
      As a point, Hildabast is part of the same broken system, so it really didn't matter. Trump is just less politically correct and stuck socially in 1978,

    12. Re: Please let one of them be Queen Elizabeth by sdinfoserv · · Score: 1

      Hillary is just as corrupt, perhaps more so. She's just less crass and able to politically maneuver.

    13. Re: Please let one of them be Queen Elizabeth by Anonymous Coward · · Score: 0

      Hey, dummy, ALL politicians are corrupt.

  2. 700,000 Britons, so how many Chavs? by Anonymous Coward · · Score: 1

    I love imperial math units.

  3. Come on now, Equifax by bravecanadian · · Score: 2

    No need to mete out the bad news. We know it was everyone.

    1. Re:Come on now, Equifax by olsmeister · · Score: 1

      This is how you boil a frog without it jumping out of the pot.

    2. Re: Come on now, Equifax by Monster_user · · Score: 1

      Frog done been cooked. Now their just prolonging it it out of pure sadistic enjoyment.

  4. What!? Equifax couldn't keep a correct count? by Anonymous Coward · · Score: 0

    That's shocking!

  5. Good News by Anonymous Coward · · Score: 1

    This is good news! The fact that this affected people outside the US means that maybe a government without a mouth full of corporate dicks will actually do something about it.

    1. Re:Good News by Anonymous Coward · · Score: 0

      a government without a mouth full of corporate dicks

      On what planet do you expect to find that? Only one with no life...

    2. Re: Good News by sound+vision · · Score: 1

      I doubt they can do much more than force organizations in their country not to provide this kind of information. Which is great for people in that country, but it won't hurt Equifax much at all. I doubt the WTO or any other international body can/will do anything.

    3. Re: Good News by Xest · · Score: 3, Interesting

      They're lucky it happened now, maximum fine is £500,000.

      Come May next year when GDPR comes into force they could've been charged 4% of global turnover.

      There is legislation in the UK to allow individuals to be held responsible though, so it's possible Equifax's security chief, CTO, or CEO could be held personally responsible if there's sufficient evidence they mishandled it.

      This industry is incredibly tightly regulated in the UK though, Equifax could lose it's license to practice as a CRA if there is evidence of severe negligence.

  6. Sucks by Anonymous Coward · · Score: 1

    When you get caught with something ( in this case data ) you're not even supposed to have . . . . . . .

    I like how they try to downplay it by pretending it was only X or Y. Completely avoiding the whole question of why they have it in the first place. :|

  7. Re:Come on now, Equifax {no - thank them} by charliemerritt03 · · Score: 1

    Why don't you tell everyone that your business model sucks - people are the product. At least Equifax has caused a review of IDENTITY. Just finished setting up a utility at a new home - guy wanted my SSN just to hook up some "service" - a point at which I normally balk; but then EQUIFAX comes to mind. Why not broadcast my SSN? Equifax has. I gave the guy the SSN frequently associated with a name similar to what I gave him. Passed a "credit check". Really, honestly, might not be 'me' - so thanx, Equifax.

  8. Financial CEOs by Roger+W+Moore · · Score: 4, Interesting

    Actually, it would be a lot more effective if the people who had their details exposed were the heads of major financial companies. These are the people who choose to share our details with companies like Equifax and perhaps if they have their own personal details exposed they may be a lot more careful with whom they share our data in the future.

    1. Re: Financial CEOs by Monster_user · · Score: 1

      Maybe.

      However, I would surmise that it is unlikely.

      You have to ask yourself, what did these companies hire Equifax to do? It wasn't to safeguard the data of their customers.

    2. Re:Financial CEOs by Dutch+Gun · · Score: 4, Insightful

      The wealthy aren't affected by these breaches. They can simply hire other people to worry about that sort of bothersome thing on their behalf. Any sort of problem like "identity theft" is resolved with a simple phone call to their bank's manager, with whom they occasionally golf on the weekends.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  9. Should just assume *all* data is compromised by LostOne · · Score: 1

    I don't know why they don't just admit that *everyone's* information is compromised and just be done with it.

    And then all credit bureaus should be forcibly shut down their databases burned. They are completely unneccessary and it's not even clear they provide a benefit to the lenders that use (and pay) them.

    --

    If it works in theory, try something else in practice.
  10. Can we get a quote from Prince Phillip? by sandbagger · · Score: 1

    He usually has some wise words.

    --
    ---- The above post was generated by the Turing Institute. Maybe.
    1. Re:Can we get a quote from Prince Phillip? by mschwanke97402 · · Score: 1

      He usually has some wise words.

      Ahem, His Royal Highness has recently retired from public life, so, no.

  11. PEOPLE ARE NOT CUSTOMERS by Anonymous Coward · · Score: 0

    We are the product. Full stop.

    They don't give a shit about us.

  12. That's nothing by Anonymous Coward · · Score: 0

    Only 700k? There's like 65 million Brits. Come one Equifax, you can do better than that.

  13. Whitelist by RyoShin · · Score: 1

    Perhaps it would be simpler to just start a list of everyone not affected by this data breach? It might sound like it would still be a long list, but after another year of revelations I think it will top out to a few dozen, maybe 50, people at most.

    1. Re:Whitelist by mschwanke97402 · · Score: 1

      Perhaps it would be simpler to just start a list of everyone not affected by this data breach? It might sound like it would still be a long list, but after another year of revelations I think it will top out to a few dozen, maybe 50, people at most.

      That many people in Equifax’ upper management?

    2. Re:Whitelist by Actually,+I+do+RTFA · · Score: 1

      Obviously they cannot publish a whitelist. The only people who weren't affected are the people Equifax doesn't know about.

      --
      Your ad here. Ask me how!
    3. Re:Whitelist by Big+Hairy+Ian · · Score: 1

      Perhaps it would be simpler to just start a list of everyone not affected by this data breach?

      What you mean both of them?

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  14. Keeps giving by Anonymous Coward · · Score: 0

    Equifax: The gift that keeps giving!

  15. Class Action? by Anonymous Coward · · Score: 0

    I certainly hope there's going to be some repercussions. Government legislated minimum security standards and regular audits for companies perhaps? Class action from those affected?

  16. neekap by Anonymous Coward · · Score: 0

    Have the responsible ex-officers of EFAX been vigilanteed by aggrieved debtors & kneecaped ... yet ?

  17. Cycle repeats, - Following the footsteps of Yahoo! by Anonymous Coward · · Score: 0

    Day 1 -
    Reporter: You are hacked, dude
    Equifax: Hacked? Us? You're Joking
    Day 2 -
    Equifax: Alright we got hacked. 1/3rd of our gazillion userbase accounts got hacked.
    Day 3 -
    Equifax: Alright we were wrong. Half our gazillion userbase accounts got hacked.
    Day 4-
    [Company XYZ screws up big time that makes it to the front page of NYT (fake news)]
    Equifax: Alright *cough* all *cough* our gazillion accounts were hacked on Day 1.

  18. The Only Safe Course Of Action... by ytene · · Score: 2

    I think that the single best piece of advice to give anyone who has a record held by Equifax is to assume that every single shred of information the company held on you has been compromised.

    The UK's data regulator, the Information Commissioner's Office, must immediately demand that Equifax provide them with proof that every single UK citizen on whom Equifax has held data has been contacted and has acknowledged that contact.

    Why so extreme? Because if one thing is apparent from this appalling incident it is that Equifax simply don't know what they are doing when it comes to safeguarding the data of their users. It is borderline offensive that a company can go public with a statement to admit that they have just detected a hack which took place months previously, only to then turn round within a matter of days and claim to know exactly what was accessed, what was stolen.

    The bottom line is that if an attacker was good enough to get into their systems and wander around for days, weeks or months without being detected, then it stands to reason that they were also good enough to make sure that logs of their activities were disabled and/or wiped. The mere fact that Equifax were hacked in the first place should tell us everything that we need to know about placing reliance on their IT Security or IT Forensic skills. [ And no, hiring in an outside specialist consultancy to help may not be good enough. When the data is gone, it's gone - a good attacker will have left few traces].

    There is another major problem with the Equifax approach. Publicly, they claim that "several hundred thousand" UK citizens may have been hit by their breach. Given the size of this number, it means that any individual contacted by Equifax will have to assume that "they are one of the unlucky ones". But this leaves us with two problems. Firstly, how do we know that Equifax aren't lying now and just contacting everyone? Are they making deliberately misleading statements to try and placate their regulators? Secondly - and potentially much more significantly - how do you know if you are an "Equifax customer" in the first place? They don't mean customer, do they? They mean data subject: i.e., victim. If you have a credit card or applied for a loan or purchased a car or an expensive product on any form of hire purchase or store credit agreement, then you are potentially an Equifax customer. But when you bought your three-piece suite or that new car, did the store or dealership explicitly tell you that their credit-checking services were provided by Equifax? I doubt it.

    I think the British people need to be demanding that Equifax are:-

    1. Given a *massive* fine by the Information Commissioner's Office.
    2. Made to pay compensation to every UK citizen held in their records.
    3. Forced to provide lifelong free credit protection services, including alerting them when people run credit checks against them or attempt to access their records.
    3. Forced to disclose, completely, in 100% detail, every last scrap of data held by Equifax against every UK citizen. If necessary, to offer to explain to the person what has been taken and how it could be used, to educate their victims and help them defend against identity theft and fraud.
    4. Have their license for operating in the UK revoked, immediately, and be prevented from operating in the UK or taking or collecting data from UK subjects.

    Only something as clear and powerful as this will send a message to companies like Equifax that they are putting people at tremendous risk. These companies see themselves as untouchable, see their business model as all up-sides. They get their data for free as part of 2-way deals, and then sell it on for a profit.

    These people are parasites.

    1. Re:The Only Safe Course Of Action... by Maritz · · Score: 1

      They should be broken up. Simple as that. Fuck ups this big should result in the company in question not existing any more. Anything less will be seen for what it is - permission to do whatever the fuck they like.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    2. Re:The Only Safe Course Of Action... by AmiMoJo · · Score: 1

      You can't punish Equifax too harshly because if they collapse they take millions of people's credit history with them. If, for example, you years of on-time mortgage payments are logged by Equifax and their records go away, all that information will be lost and your perceived risk to creditors will go up.

      For Equifax to lose their licence what they did would have to be worse than the consequences of those records being lost.

      However...

      3. Forced to provide lifelong free credit protection services, including alerting them when people run credit checks against them or attempt to access their records.
      3. Forced to disclose, completely, in 100% detail, every last scrap of data held by Equifax against every UK citizen. If necessary, to offer to explain to the person what has been taken and how it could be used, to educate their victims and help them defend against identity theft and fraud.

      Those should be mandatory for all credit reference agencies anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:The Only Safe Course Of Action... by ytene · · Score: 1

      So what you are essentially arguing is that Equifax are 'too big to fail'? That the cure is worse than the disease?

      Sorry, I don't buy it. Equifax have already demonstrated that they cannot be trusted to keep consumer data safe. There are only two remedies for this:

      1. Take the data away from them.
      2. Find a way of providing an absolutely SOLID guarantee that all their data is now and will remain 100% secure...

      Think about that second item for a moment. Who among their data subjects would trust them with continued access to their data? Not me. If you want to argue that the data held by Equifax, if lost, would disadvantage their data subjects, then require copies of that data to be given to one of the alternate providers. Demand some form of licensing analogous to an "information broker operating license", enforced by a government agency (in the UK this would be the Information Commissioner's Office). Have anyone applying for a broker license be required to place a financial bond in escrow, so that if an event like this occurs, the company can be forcibly liquidated and the escrow funds can be used to support their victims.

      In other words, create an environment where it is easier, cheaper and safer for companies wishing to provide Equifax-like services to do the job properly, accurately and securely. Until such time as the environment means that a failure to do these things will have painful repercussions for those wanting to hold and process that data.

      Remember, this company - and others in this sector - are harvesting a vast amount of information about private citizens, yet they are using and selling it for the benefit of themselves and private companies. This is an incongruous relationship for those who are the subjects of the data from which Equifax profits.

      Whatever we do, there is one thing that we simply cannot allow to happen: we cannot allow this situation to occur without a significant and cautionary penalty to be applied to Equifax and their Directors. They cannot be allowed to "get away with it", to have presided over this disaster and yet escape without legal sanction and appropriate penalty. Make no mistake, their "oversight" could easily destroy people's lives. That negligence has to be addressed.

    4. Re:The Only Safe Course Of Action... by ytene · · Score: 1

      Agreed - but I would go further...

      The government concerned needs to send a clear message to other information brokers, to make it very clear to them that there is zero tolerance for this sort of data breach. There needs to be a real, material punishment. I accept that revoking an [information broker] license that would bar the culprit from the market permanently, but I would like to see the participants actually held to personal account for the failures they have presided over.

      And if there aren't sufficiently strong laws to punish companies that free-load of *our* data like this, without any current form of sanction available, then we need some. Pronto.

    5. Re:The Only Safe Course Of Action... by AmiMoJo · · Score: 1

      Yes, that's what I'm saying. You could write to them withdrawing your consent for them to hold data about you, but all that would do is damage your ability to get credit.

      I agree it's a really bad situation. Taking the data off them wouldn't really solve the problem, just hand it to another bunch of idiots. The core of the problem is relying on such databases to determine credit worthiness.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:The Only Safe Course Of Action... by ytene · · Score: 1

      Curiously, I find myself agreeing with you about everything you write except our differing view on the appropriate remedy.

      We agree it's a bad situation...

      With respect to taking the data away from Equifax, we have a slightly different view. In my idea world, the government would step in, bar Equifax from operating, charge the directors with criminal negligance and then take the Equifax data set and offer it for sale to other companies in the market. They would include a set of terms and conditions that would make it a legal requirement for anyone accepting the Equifax data to post escrow/bond for the safekeeping of the data, and they would be signing up their directors for massive sanctions for failure.

      If none of the competitors liked the terms, they had better start thinking to get out of the credit checking [data slurping] business.

      Pretty much the only difference between us is that I think we already *know* that Equifax cannot be trusted. With the others in the market, at least we have a 50-50 chance they can do better, right? And if not, the terms of their data acquisition would make their culpability a certainty. Finally, the money raised from the fire sale of Equifax's assets as they are forcibly liquidated by the government would be divided up and paid to everyone on whom they have a record. Even if it is one cent per person.

      And I would do that as a visible, public warning to others: "if you hold data on private citizens and don't keep it safe, we are coming for you..."

      The sad truth is that unless or until a message of this stark, unwavering savagery is delivered, companies will carry on thumbing their noses at us. They make money, we suffer fraud. This is not a justifiable state of affairs.

  19. ISO certification by pD-brane · · Score: 4, Interesting

    From Equifax' website:

    Equifax is ISO/IEC 27001:2013 certified by a reputable independent third party.

    It is difficult to imagine now that ISO/IEC 27001 (information security management) means anything.
    Who is this "reputable independent third party"?

    1. Re:ISO certification by ytene · · Score: 3, Interesting

      In order for Equifax to legitimately place that statement on their web site, they would have been required to complete an annual ISO27001 Security Audit, conducted by a Certified ISO Security Auditor.

      Such an audit is valid for a maximum duration of 12 months and thus has to be completed annually. It would be very interesting to compare the results of that audit with details of the system[s] that were breached, to determine what level of diligence was provided by the ISO Auditor.

      I wonder if Equifax can substantiate that claim? Interesting...

    2. Re:ISO certification by Wootery · · Score: 1

      Does the auditing process involve proper tiger-team pen-testing?

    3. Re:ISO certification by Anonymous Coward · · Score: 0

      From Equifax' website:

      Equifax is ISO/IEC 27001:2013 certified by a reputable independent third party.

      It is difficult to imagine now that ISO/IEC 27001 (information security management) means anything.
      Who is this "reputable independent third party"?

      The company owned by the wife of one of the C-level execs - you know, the one the flunked out of beauty school.

    4. Re:ISO certification by chihowa · · Score: 1

      They're not going to tell you that! That third party has a reputation to uphold.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  20. Unstated but ultimately correct bottom line by idontgno · · Score: 1

    If you have ever participated in the 20th or 21st Century banking or credit system, Equifax has given away your personally identifiable information.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  21. What? Deliberately? by Anonymous Coward · · Score: 0

    I read the headline

    Equifax Increases Number of Britons Affected By Data Breach To 700,000

    to mean not enough Britons were affected by the data breach, so Equifax leaked more to bring the total up to a more respectable 700,000.