back to article 44m UK consumers on Equifax's books. How many pwned? Blighty eagerly awaits spex on the breach

The impact of the Equifax data leak in the UK remains unclear days after the breach was first made public, amid reports estimating that the personal details of up to 44 million Brit could have been exposed. The credit reference agency and its UK subsidiaries provide services for UK companies including BT, Capital One and …

  1. Anonymous Coward
    Anonymous Coward

    So much worse than that ...

    (AC, obviously)

    the feature-creep of the credit reference agencies has certainly affected car and general insurance. Anyone who has used an aggregator service in the past 2 years will almost certainly have had their details verified using a service which goes back to Equifax/Experian.

    Given that HMG is also an enthusiastic user of such services, WHAT ARE THEY DOING TO PROTECT THEIR CITIZENS, apart from the fuck-all currently on display.

    Having been very closely involved with a lot of law-enforcement initiatives, it's painful to note that worldwide, UK citizens are a prize catch due to the useless nature of our government. As in so many other things, we could learn from the rest of Europe - particularly Germany.

    1. Anonymous Coward
      Anonymous Coward

      Re: So much worse than that ...

      "Given that HMG is also an enthusiastic user of such services, WHAT ARE THEY DOING TO PROTECT THEIR CITIZENS, apart from the fuck-all currently on display."

      Probably nothing more than a couple of civil servants having a nice drinky poos around the westminster bar saying "I say, what a terrible business old man!", "Yes, isn't it what what. Never mind, another Glenfiddich?".

      The government and the tax man only start giving a shit when THEY lose money, they don't give a monkeys if you lose any or all of yours either directly or indirectly through identity theft. Parties of all colours have shown the contempt they hold for the private details of UK citizens. Medical records to India? No problem. Data security? Who cares, we're saving a few quid.

      1. Anonymous Coward
        Anonymous Coward

        Re: So much worse than that ...

        Maybe a little early for Schadenfreude, but I suspect some high-flying civil servants might be a low-hanging fruit for scamsters.

        1. Anonymous Coward
          Anonymous Coward

          Re: Fraudsters never attack those in power...

          else they draw attention. They would much more likely legitimise the method of extracting money. There are various ways to do so, with a smooth tongue and a bridge to sell...

      2. streaky

        Re: So much worse than that ...

        Yes, isn't it what what. Never mind, another Glenfiddich?

        I really hope our civil servants have better taste in whisky than Glenfiddich.

        More on topic it's not entirely obvious what they can do. It's down to the ICO to figure out if there should be a prosecution and not really anybody else.

        Nobody in the EU you guys all love so much wanted to put a requirement to notify in the EU data protection directives so we don't have one.. If we weren't in the EU we'd have had one years ago.

        1. Adam 52 Silver badge

          Re: So much worse than that ...

          "More on topic it's not entirely obvious what they can do. It's down to the ICO to figure out if there should be a prosecution and not really anybody else."

          Remove the exemption that allows the credit reference agencies to store incorrect information would be a start. And allow people to opt-out of data processing would help. And stop giving them access to the unfiltered electoral role.

          Plenty of things the government could do if it weren't in the pay of the banks.

    2. Anonymous Coward
      Anonymous Coward

      Re: So much worse than that ...

      Actually, it's worse than worse than that (a fate worse than a fate worse than death ...)

      Whilst fuck all progress has been made legitimately with "big data" (too many spivs), there has been a seismic shift in the illegitimate use of big data.

      When miscreants around the world start marrying the Equifax data with *other* sources of data - probably all publicly visible (Facebook for a start), you have the perfect storm for some very intractable identity theft.

      Echoing the PP about the UK government, bear in mind there have been victims of identity theft who have had to be issued with new NI numbers, as it wasn't possible to undo the damage associated with the old one.

    3. Doctor Syntax Silver badge

      Re: So much worse than that ...

      "Given that HMG is also an enthusiastic user of such services, WHAT ARE THEY DOING TO PROTECT THEIR CITIZENS, apart from the fuck-all currently on display."

      Working hard at getting out from under any sort of extra-territorial jurisdiction that could hold them to account (standard MP uselessness will make sure Parliament won't).

  2. inmypjs Silver badge

    Crucifed

    is what Equifax deserve for this if only 'Pour Encourager Les Autres'

    I hope any business using Equifax stops and they fold.

    I had a Captial One credit card for a while and refused the free offer of Equifax credit reporting and monitoring. I didn't think it worth the risk of giving them more personal information than they already had. I suppose I just have to keep my fingers crossed.

    1. Gnosis_Carmot

      Re: Crucifed

      "I didn't think it worth the risk of giving them more personal information than they already had."

      They probably had every bit of that information anyway. You'd be amazed at how much they know about you. It's probably up there with what the NSA has.

      NSA here : Not quite, but close.

    2. Chris Miller

      Re: Crucifed

      The class action lawyers (in the US) are already recruiting. This is going to cost Equifax a minimum of 9 digits.

      1. a_yank_lurker

        Re: Crucifed

        Thinking of signing up, not for the money to me but bankrupt Equinefax. Also, I would like to see the C-suite being roasted alive for crimes against humanity (not going to happen but I can dream).

    3. DropBear
      Gimp

      Re: Crucifed

      Look, I watched as much deep throat / bizarre porn as the next guy but what you're suggesting here makes even me uncomfortable...

  3. iron Silver badge

    Proof reading?

    The quality of English in El Reg articles has gone seriously downhill in the last 12 months, did you sack all your proof readers or just not have any to begin with?

    "BT has confirmed it was a user of Equifax services, with a spokesman adding it was in dialogue with credit reference agency about the matter. A BT spokesman courtesy told El Reg he wasn’t able to share any more at this point."

    The first sentence in that article is missing a definite article and the second just doesn't make any sense grammatically. There are also multiple references to Equinox in the article that I presume should be Equifax.

    1. Rich 11

      Re: Proof reading?

      The quality of English in El Reg articles has gone seriously downhill in the last 12 months, did you sack all your proof readers or just not have any to begin with?

      This sentence could do with a spot of proof-reading too.

      1. Commswonk
        Facepalm

        Re: Proof reading?

        This sentence could do with a spot of proof-reading too.

        I think you meant That sentence could do with a spot of proof-reading too.

        Muphry's Law strikes again. It can never be repealed.

    2. wolfetone Silver badge

      Re: Proof reading?

      Plot twist: "Iron" is actually an El Reg author

    3. Anonymous Coward
      Anonymous Coward

      Re: Proof reading?

      Presumably the missing article is due to Russian hacking.

    4. PNGuinn
      Trollface

      Re: Proof reading? @iron

      And you, sir, are missing a Grammar Nazi icon.

      May I claim my £5?

  4. Anonymous Coward
    Anonymous Coward

    So the bodies using this service have been passing them information in the process?

    No more wrist slapping, take them to the cleaners and break them on the wheel and fine anyone who used them as well. Everybody involved is guilty except the victim who ends up paying for it all

    All these agencies have been making money off our backs for years and when that is not enough for them then "oops, your data just slipped through our fingers and into the hands of the more orthodox criminals"

    1. Anonymous Coward
      Anonymous Coward

      Re: So the bodies using this service have been passing them information in the process?

      You don't appear to understand how credit reference agencies work, or you wouldn't be at all surprised that as part of the deal their customers (companies who provide credit) give them information on how you behave, such as missed/late payments.

      1. Doctor Syntax Silver badge

        Re: So the bodies using this service have been passing them information in the process?

        "You don't appear to understand how credit reference agencies work"

        We understand all right. We just don't like it.

    2. Steven Jones

      Re: So the bodies using this service have been passing them information in the process?

      Credit Reference Agencies get feeds from almost every major company that deals with the consumer on an account basis. They will get feeds from all the credit card companies about late payments, balance, from banks, things like unapproved overdrafts. They'll have feeds from you phone company about missing/late payments. If you've got a store card and are in deficit, they'll know about that too.

      It's not just company data - they'll know if there are any county court judgements, or if you are on the electoral roll and probably if you owe money on your council tax.

      There fingers are everywhere. What's worse, if there's a problem with the source that provide adverse information (as sometimes happens - maybe some company has reported a bad debt wrongly) then the credit bureaux washes its hands. It's up to you to get the error corrected by whoever reported it. There have been some horror stories about that.

      If you want to find out what they know about you, then sign up for one of the free services, like Clearscore. You might learn something about how information passes around.

      In any event, there are going to be some big, big fines levied here. Not just in the US, but in the EU and (I hope) the UK. After all, the various US finance regulatory bodies have been making quite a nice pile of money fining European banks for misdemeanours.

      1. cantankerous swineherd
        Mushroom

        Re: So the bodies using this service have been passing them information in the process?

        clearscore appear to be a bastard child of capital one and google. amongst other things they'll only answer a subject access request if you give them phone number (why?) and photocopies of passport & driving licence. no dl and passport? no subject access. if i thought it would make a difference I'd tell the ico.

  5. katrinab Silver badge

    Answer: probably everyone

    Unless you are a child who doesn't have a bank account, or an illegally trafficked slave, it is pretty much guaranteed that Equifax has a file on you.

  6. sysconfig

    EU data protection?

    Customers of these companies might therefore be affected by the attack despite not having signed up for Equifax's services. The US agency holds the personal details of 44 million UK citizens

    I'd be curious on which legal basis they hold the data in the US. And I'd be even more curious how they are going to inform all non-customers about the data they kept and failed to secure. 44 million UK citizens, for Christ's sake. That's almost all of the adult population.

    1. katrinab Silver badge

      Re: EU data protection?

      It is basically all of the adult population, except for people who aren't on the electoral register and have never had a financial product in their life.

      1. wolfetone Silver badge

        Re: EU data protection?

        "except for people who aren't on the electoral register and have never had a financial product in their life."

        Lucky bastards.

        1. Ken Moorhouse Silver badge

          Re: Lucky bastards.

          Kindly refrain from referring to our monarch in this fashion.

          1. wolfetone Silver badge

            Re: Lucky bastards.

            I will, just as soon as I work out what "lucky bastards" is in German.

          2. katrinab Silver badge

            Re: Lucky bastards.

            The Queen is entitled to vote in EU elections. It is less clear whether or not she is entitled to vote in Westminster or local elections, but she doesn't.

            She certainly has financial products. I'm sure the electricity supplier did a credit check before deciding to open the account at Buckingham Palace, so Equifax will have a file on her.

      2. Steven Jones

        Re: EU data protection?

        By financial product, you have to include virtually everything paid on account. Like all the utilities, and probably local government too.

    2. Anonymous Coward
      Anonymous Coward

      Re: EU data protection?

      Legal basis? Legal basis?? What is this "legal basis" of which you speak? American corporations don't need no stinkin' "legal basis". They have the Marines, drones, B-52s, F-16s, napalm and white phosphorus.

      And the alphabet soup.

      Just be grateful they haven't disappeared you - yet.

    3. Commswonk

      Re: EU data protection?

      I'd be curious on which legal basis they hold the data in the US.

      I'd be equally curious about the legal basis on which they contacted Equifax in connection with me in the first place. By way of example, when I added broadband to my telephone account all those years ago it was all done over the 'phone and there was certainly no caveat that "we are going to discuss you with Equifax just to be on the safe side"; similarly I have no recollection of any similar warnings when we have changed energy supplier.

      So never mind holding the data in the US; what is the basis of it being shared with another party in the first place without my clear informed consent? Do I sue Equifax with which I have no contract, or do I sue the organisations that shared information about me with Equifax?

    4. Doctor Syntax Silver badge

      Re: EU data protection?

      And I'd be even more curious how they are going to inform all non-customers products about the data they kept

      FTFY

  7. Ken Moorhouse Silver badge

    This is what we all need to do...

    Right now... En masse...

    https://www.gov.uk/change-name-deed-poll/make-an-adult-deed-poll

    1. John G Imrie

      Re: This is what we all need to do...

      Even better we all need to change our names to Equifax

  8. Anonymous Coward
    Anonymous Coward

    Wow

    This particular breech is the real deal. Massively sensitive info, on just about everyone. Equifax should get proper fucked for this.

    1. wolfetone Silver badge

      Re: Wow

      Considering the Sony hack a few years ago generated a fine of £250,000, I would not hold your breath.

  9. chivo243 Silver badge
    Facepalm

    What happens when we're all pwnd?

    Is it game over? Do we start again, with newly assigned social numbers etc, and 3 new guys like in PacMan?

    I know what a pain this can be. A family member had their identity stolen back in February, and still has not finished cleaning up that mess.

  10. Anonymous South African Coward Bronze badge

    "It also said that the “arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident” in response to US consumer concerns that finding out if they had been affected by the breach might mean foregoing participation in a class action lawsuit."

    Say what again? I'm sure that's not the get-out-of-jail card you're looking for...

    1. John G Imrie

      Verbal contract

      I suspect that this statement is worth less than the proverbial verbal contract.

  11. Mr Dogshit

    Surely someone should ask a question in the House at this point?

    1. wiggers

      Take a letter to The Times, Miss Jones...

    2. Anonymous Coward
      Anonymous Coward

      re: Surely someone should ask a question in the House at this point?

      Assuming you mean House *of Commons* (not Representatives) then you're a bit behind the times.

      The next 5 or so years of UK parliamentary time are devoted to a single subject.

      Brexit.

      And like a badly written program, on a badly written OS, Brexit has ALREADY STARTED to consume resources at an alarming rate. Just wait until every single organ of government is at 100%, and you can't even process a hardware interrupt.

  12. Andy The Hat Silver badge

    Did I opt in ...

    I seem to recall the clause "we may contact credit reference agencies ..." at the bottom of some contracts which I took to mean "we'll check to see if you've got a dodgy financial history". At no point do I recall "we will give data to credit reference agencies which will be stored in a database outside the 'safe harbour' agreements.

    To be honest, that one company can have so much personal data without the knowledge of the individual is damn scary ...

  13. anthonyhegedus Silver badge

    Equinox? What's Equinox?

    1. BoldMan

      1) The moment the Sun passes from the Earth's Northern Hemisphere to the South and vice versa

      2) A sadly missed science documentary program that used to be on Channel4

      3) An album by Jean Michell Jarre

      any more?

      1. JimmyPage Silver badge
        Happy

        er (showing age)

        an occult bookshop owned by former Led Zepplin guitarist on the Kings Road, London ?

      2. anthonyhegedus Silver badge

        I was referring to the two references to Equinox in the article. Does anyone even slightly proofread their articles any more?

      3. Naselus

        I seem to recall an also-ran in the Grand National in about 1996?

        1. wolfetone Silver badge

          "I seem to recall an also-ran in the Grand National in about 1996?"

          Either you're a time traveller with poor memory or you're just a little confused. Equinox fell at the 1849 Grand National.

      4. Teiwaz

        3) An album by Jean Michell Jarre

        That's 'Equinoxe' or 'Équinoxe'

        1. Anonymous Coward
          Anonymous Coward

          Similarly it 'Jean-Michel Jarre'. A favored composer here and there's damned few living ones I can say that about.

      5. This post has been deleted by its author

      6. theDeathOfRats
        1. Ken Moorhouse Silver badge

          Re: @BoldMan, any more?

          An insurance company for accident-prone horse owners

      7. JimboSmith Silver badge

        @BoldMan

        A nightclub in Leicester Square London, (and others around the country with the same name) used to be next to the Empire cinema .

    2. Ken Moorhouse Silver badge

      Re: Equinox? What's Equinox?

      It's what you get when you cross a cow with a horse.

  14. it_wasnt_me

    They can't even get the SSL certificate installed correctly on the website they've put together to "help" - there's a missing intermediate cert, so I imagine a number of people will be getting browser warnings if they visit the site.

  15. Anonymous Coward
    Anonymous Coward

    Umm, just in case, be careful with any Equifax agreement

    There are reports from the US that Equifax's "generous" offer of one year free after the breach was originally about even making money off the consequences as people were effectively signing up to a service which became payable in year 2. Of course, once that became public they quietly rolled that back, but those actions suggest they're not very sorry about the breach and its impact on customers.

  16. scrubber

    Class action

    Scammers can now do identity theft of 144m people and get a few billion claiming to be them in the class action lawsuit.

  17. Anonymous Coward
    Anonymous Coward

    @scrubber

    "Scammers can now do identity theft of 144m people and get a few billion claiming to be them in the class action lawsuit."

    No class action in the UK, here it will be "identity card or we don't know it is you" and some number number to remember along with your Nation insurance number.

    That no real punishment will be applied to the industry and the companies we are forced to deal with is the main problem.

    It would be nice to not have to tell you life history to untrustworthy strangers just to be able to drive to work but you are forced to deal with insurance companies or not drive. Although that youtube video of the chap that opted out of PACE was interesting. Sending back your DVLA documents stating "this is not a car", you still pay if you have an accident if is your fault but directly and you have the control of going to court or not.

  18. davidhall121

    Equinox

    Three times!

    No proof check at El Rey?

    (Edit) just read other comments

    1. Anonymous Coward
      Anonymous Coward

      Re: Equinox

      To be honest, that very much smells like auto-incorrect to me on account of "Equinox" being a dictionary word as opposed to "Equifax".

      Maybe worth using the "corrections" link?

  19. Anonymous Coward
    Anonymous Coward

    Someone stole my identity, I can only post AC now.

    1. Anonymous Coward
      Anonymous Coward

      ...and why would you think I can't steal that identity too from you...?

  20. Zippy's Sausage Factory

    The answer is simple

    We basically need to write to our banks, credit card providers, and so on, and ask whether they use Equifax, stating that if they do, we wish them to exclude Equifax from their business as soon as possible, or we'll change banks.

  21. Captain Badmouth
    IT Angle

    Article Photo

    I see the image accompanying this article shows one of the Equifux agents in the field running the latest secure software on their most up-to-date laptop.

  22. Anonymous Coward
    FAIL

    The only good thing about the 44 million number

    Is that if it plays out, then a huge chunk of the British political class and civil service now has their data out in the wild. If they starr getting robbed by ID thieves, then maybe you will see some action against crooks, data aggregators and privacy invaders.

    1. Cyberhash

      Re: The only good thing about the 44 million number

      Pfft ......... these people you speak of (political class) don't need credit. They use dodgy accounts held in Bermuda along with Jimmy Carr. It's only us minions up to our eyeballs in debt that have their data in the hands of these types of companies.

  23. Anonymous Coward
    Anonymous Coward

    I hope they get sued into oblivion

    I can't help but be glad a spotlight is being shone on these shoddy companies. They must cause misery for plenty of innocent souls.

    16 years ago I applied for my first mobile phone contract - it wasn't extravagant, something like twenty pounds a month for some included minutes and texts. At the time I could have paid the entire 12 month contract from a single days earnings. But apparently I failed the credit check and was refused service. I actually did offer to pay the full contract up-front but was still refused (Thanks, Orange).

    No-one could tell me 'why' I failed the credit check and I was only told I had to apply to three different companies to get hold of my credit records. Experian/Equifax were two of them.

    I was astounded to find out they were legally allowed to charge me for the privilege of receiving the information they collated - and sold to others - about me.

    Once I received said reports there was nothing negative on them at all. I always paid my credit card in full each month, never used an overdraft and yet these scoundrels had soured my good name.

    For a mobile phone at the time it was just a minor annoyance and I've been on pre-pay happily ever after since then. But I imagine untold numbers of people are unfairly paying higher rates for essential utilities and insurances due to similar misinformation.

    1. Ken Moorhouse Silver badge

      Re: paid the entire 12 month contract from a single days earnings.

      I'm sure some scoring goes on behind the scenes which might indicate bad risk. For example if someone whose only known job is to stack shelves in a supermarket runs a Ferrari then one has to ask the question as to where the money is coming from.

  24. Andy Livingstone

    Chocolate Fireguard?

    "Notification in such cases is not mandatory under current UK data protection laws.

    A spokeswoman at the ICO was not able to provide any guidance on the extent to which UK consumers were affected by the breach when we called."

  25. Sloth77

    Ironic...

    The UK equifax site offers a "Equifax Protect" service:

    "Equifax is ideally placed to help businesses if they experience a data breach"

    https://www.equifax.co.uk/data-breach/react.html

    They *really* should take that page down....

  26. Lion

    The people's representatives - get a backbone

    Governments should make a deal with the credit reporting companies that they can not refuse. As governments outside the USA rely primarily on fines in these situations, it would be appropriate for the fine to be in the billions of dollars, not hundreds of thousands. Law makers need to get a backbone and work across borders when cyber crimes are at the core of the issue. A few thousand dollars is not a deterrent and nor will it cover the damage it will do to the economy. The individual citizen impacted by security breaches never benefit from these fines. They are left to be victimized by criminals and have to bare the fallout and financial costs on their own.

    Equifax will use the courts to shelter them from the fines, so the government(s) should offer them an out of court settlement (to appease the courts). Pay the fine or agree to all of the government's non-negotiable conditions that will be put in place clean up the mess they created.and meet new regulations for the industry. The fine will be incrementally reduced as each condition is met. The response to Equifax should make it clear that new laws and regulations that result from this breach will include criminal charges and mandatory jail time for company executives. Co-operate or face the consequences.

    The agreement should be globally enforced. Under the FBI and Homeland Security, the USA could work with other countries to create a framework that would not allow private companies to drive the solution when cyber crime puts a country's economic stability at risk.

  27. FiletCrochet

    That link in the article to "Equifax’s dedicated breach-handling site" takes you to a site that is only for people in the US (asks for your social security number, required field). So far, I have not been able to find any way of credit freezing your record on-line at Equifax UK. Has anyone else found it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like