Equifax and the UK - what’s going on?

Rory Cellan-Jones
Technology correspondent
@BBCRoryCJon Twitter

  • Published
EquifaxImage source, EPA

Last Thursday, the credit-scoring company Equifax revealed it had been the victim of what sounded like a disastrous hacking incident, with the data of 143 million US customers potentially put at risk.

The company's statement also mentioned unauthorised access to "limited personal information" for some UK residents.

Ever since, we have been trying to find out more from the company about the impact on the UK customers.

We want to know:

  • how many UK names are in the Equifax databases
  • whether any of their information has been accessed
  • what the company's advice is

But we have been met with a wall of silence.

On Friday, the UK's data protection regulator, the Information Commissioner's Office, put out a statement calling on Equifax to "alert affected UK customers at the earliest opportunity".

We contacted the PR company listed on Equifax's website as the point of contact for its UK business. But Four Broadgate told us that all inquiries were being handled in the United States and gave us an email address to contact.

We have sent a number of emails, but six days on, have received no replies about the UK situation. (We did, however, get a statement in response to queries about a vulnerability in the company's Argentine operation.)

A UK company called ClearScore, which works with Equifax to show 4.9 million people their credit scores, did put out a statement.

It told its customers: "At this stage, it looks like no UK financial information has been compromised in this attack."

But ClearScore said it had received no new information from Equifax since last Thursday evening.

Equifax has set up a website for concerned customers - but as it asks users to enter a US social security number to find out if they are affected by the data breach, it is of no use to anyone in the UK.

The very nature of a credit-scoring business, which collects data on people from a wide range of sources, makes it hard to assess just how many UK citizens could have data stored on Equifax's servers.

BT is among a number of British businesses that work with Equifax, using its databases to assess the creditworthiness of customers. But it too appears to be in the dark about just how much data was affected by the breach.

Image source, Getty Images
Image caption,
Equifax provides credit scores companies can use to decide whether to offer a service to individuals

I have been calling the Information Commissioner's Office to point out that Equifax appears to have ignored its call for information "at the earliest opportunity".

But the ICO isn't saying anything, just referring back to Friday's statement.

The new Data Protection Act, which effectively copies the EU's General Data Protection Regulation (GDPR), will give the regulator more powers to punish companies that are careless about security, when it comes into force next year.

But, for now, millions of people in the UK are being given a lesson in how powerless they are when their data is shared around the world by companies that appear to have no interest in answering questions.

In a related development, Equifax has disclosed a few details about how its network came to be compromised.

It said the hackers exploited a vulnerability in a software module that can be used with Apache web server program.

That flaw was known about in March this year and a patch had been made available soon after. Many organisations rushed to patch it as the vulnerability was reportedly "trivial" to exploit and was widely used by cyber-thieves after it became public.

But Equifax seems to have been one company that did not move quickly enough. It now has to explain why it did not act faster.