Slashdot Mirror
Equifax Increases Number of Britons Affected By Data Breach To 700,000 (telegraph.co.uk)
phalse phace writes: You know those 400,000 Britons that were exposed in Equifax's data breach? Well, it turns out the number is actually closer to 700,000. The Telegraph reports: "Equifax has just admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. The company originally estimated that the number of people affected in the UK was 'fewer than 400,000.' But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers."
Then we can be sure heads will roll, literally, in the Equifax C-suite.
No need to mete out the bad news. We know it was everyone.
Actually, it would be a lot more effective if the people who had their details exposed were the heads of major financial companies. These are the people who choose to share our details with companies like Equifax and perhaps if they have their own personal details exposed they may be a lot more careful with whom they share our data in the future.
I think that the single best piece of advice to give anyone who has a record held by Equifax is to assume that every single shred of information the company held on you has been compromised.
The UK's data regulator, the Information Commissioner's Office, must immediately demand that Equifax provide them with proof that every single UK citizen on whom Equifax has held data has been contacted and has acknowledged that contact.
Why so extreme? Because if one thing is apparent from this appalling incident it is that Equifax simply don't know what they are doing when it comes to safeguarding the data of their users. It is borderline offensive that a company can go public with a statement to admit that they have just detected a hack which took place months previously, only to then turn round within a matter of days and claim to know exactly what was accessed, what was stolen.
The bottom line is that if an attacker was good enough to get into their systems and wander around for days, weeks or months without being detected, then it stands to reason that they were also good enough to make sure that logs of their activities were disabled and/or wiped. The mere fact that Equifax were hacked in the first place should tell us everything that we need to know about placing reliance on their IT Security or IT Forensic skills. [ And no, hiring in an outside specialist consultancy to help may not be good enough. When the data is gone, it's gone - a good attacker will have left few traces].
There is another major problem with the Equifax approach. Publicly, they claim that "several hundred thousand" UK citizens may have been hit by their breach. Given the size of this number, it means that any individual contacted by Equifax will have to assume that "they are one of the unlucky ones". But this leaves us with two problems. Firstly, how do we know that Equifax aren't lying now and just contacting everyone? Are they making deliberately misleading statements to try and placate their regulators? Secondly - and potentially much more significantly - how do you know if you are an "Equifax customer" in the first place? They don't mean customer, do they? They mean data subject: i.e., victim. If you have a credit card or applied for a loan or purchased a car or an expensive product on any form of hire purchase or store credit agreement, then you are potentially an Equifax customer. But when you bought your three-piece suite or that new car, did the store or dealership explicitly tell you that their credit-checking services were provided by Equifax? I doubt it.
I think the British people need to be demanding that Equifax are:-
1. Given a *massive* fine by the Information Commissioner's Office.
2. Made to pay compensation to every UK citizen held in their records.
3. Forced to provide lifelong free credit protection services, including alerting them when people run credit checks against them or attempt to access their records.
3. Forced to disclose, completely, in 100% detail, every last scrap of data held by Equifax against every UK citizen. If necessary, to offer to explain to the person what has been taken and how it could be used, to educate their victims and help them defend against identity theft and fraud.
4. Have their license for operating in the UK revoked, immediately, and be prevented from operating in the UK or taking or collecting data from UK subjects.
Only something as clear and powerful as this will send a message to companies like Equifax that they are putting people at tremendous risk. These companies see themselves as untouchable, see their business model as all up-sides. They get their data for free as part of 2-way deals, and then sell it on for a profit.
These people are parasites.
They're lucky it happened now, maximum fine is £500,000.
Come May next year when GDPR comes into force they could've been charged 4% of global turnover.
There is legislation in the UK to allow individuals to be held responsible though, so it's possible Equifax's security chief, CTO, or CEO could be held personally responsible if there's sufficient evidence they mishandled it.
This industry is incredibly tightly regulated in the UK though, Equifax could lose it's license to practice as a CRA if there is evidence of severe negligence.
From Equifax' website:
Equifax is ISO/IEC 27001:2013 certified by a reputable independent third party.
It is difficult to imagine now that ISO/IEC 27001 (information security management) means anything.
Who is this "reputable independent third party"?