Credit reporting company Equifax has said 15.2m UK records were stolen in a cyberattack earlier this year and it has identified 693,665 British consumers whose details – including phone numbers and driving licence numbers – may have been stolen.
The US-based company suffered a huge breach in May this year, losing the information of 143m people. It announced the hack in early September and previously estimated that the details of 400,000 UK consumers might be at risk.
Sky News understands that this estimate was increased after third parties investigating the attack found another large dataset had been stolen.
Much of the information in the 15.2m records is junk data, although it could still contain the names and dates of birth of certain UK consumers, Equifax has said.
But 12,086 customers had their Equifax-associated email address breached and 14,961 customers with Equifax memberships have had portions of their usernames, passwords, secret questions and answers, and partial credit card answers accessed.
The company will offer those customers Equifax Protect, an identity protection service, for free, as well as giving further guidance in the letters they send to consumers.
The 666,618 remaining UK consumers – who were not direct customers of Equifax, but whose details may nevertheless have been stored by the company as part of the credit-checking process – had driving licence and phone numbers accessed.
Equifax has promised those consumers a free identity monitoring service.
Since the announcement of the breach, Equifax has faced multiple class-action lawsuits in the US.
Patricio Remon, president for Europe at Equifax said: “Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act.
“Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.
“It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.
In a statement, the National Cyber Security Centre (NCSC) said:
“If you have been told by Equifax that security details from your Equifax.co.uk membership account – such as password and secret questions – have been accessed, you should ensure those details are not used on any other accounts.”
NCSC advise that passwords are managed carefully across online services – more information can be found on the NCSC website.
“Another risk to UK citizens affected by this data breach is that they could be on the receiving end of more targeted and realistic phishing messages,” it said.
“The NCSC, with Equifax and partners including the NCA, ICO and FCA, continues to examine this incident and should further information come to light about the extent and nature of the impact on the UK, we will provide further updates and advice as soon as we can.”
:: How to react?
You should never respond to unsolicited phone calls or emails.
People should also monitor their credit report, which will show any credit accounts set up in your name.
If you believe you have been the victim of identity fraud, you should report it to your bank and to Action Fraud to receive a police crime reference number.