back to article Punctual as ever, Equifax starts snail-mailing affected Brits about mega-breach

UK financial service regulators only learned of this year's Equifax mega-breach through media reports. The admission comes in correspondence from the Financial Conduct Authority (FCA) released by Treasury Committee on Tuesday. A letter from the FCA to Nicky Morgan MP, chair of the Treasury Committee, confirms that the …

  1. Aladdin Sane
    Flame

    offered a free comprehensive ID protection service

    Because people are going to trust these fuckers again?!

    1. Anonymous Coward
      Anonymous Coward

      Re: offered a free comprehensive ID protection service

      I got mine yesterday.

      They do so very helpfully (please note intended sarcasm) offer two other companies, Noddle (CallCredit) and Clearscore as alternatives. It's for 12 months and if you wish to continue you get another 12 months free but after that...

      However, it's not a case of you trusting them, you don't get a choice unless you actively look for companies that do not use Equifax and are honest about not using them.

      Basically were all screwed and not much you or I can do to fix it.

      1. Jtom

        Re: offered a free comprehensive ID protection service

        I got mine yesterday, too. I especially liked the part that said hackers may have captured even more personal information, and I could get specific information on what data of mine was compromised if I logged in and provided the last SIX digits of my Social Security Number (the missing first three were based on the location where you applied for your number, and could be easily determined by trial and error). Yeah, that's just what I want, yet another database they have with my personal data.

    2. rmason

      Re: offered a free comprehensive ID protection service

      @Aladdin Sane

      you don't really have a choice. there is only a handful of these types of companies. chances are, if you need any sort of financial product (or similar) ever again, you'll be using them.

  2. Swiss Anton

    Moved house?

    You've moved house? Lets hope the new occupier doesn't read your letter sent by Equifax!

    1. Blotto Silver badge

      Re: Moved house?

      well they think my last address was a place i lived at 20 years ago, and not the house i moved out from 4 years ago.

      I'm not surprised they are having issues matching peoples details with current addresses

    2. Anonymous Coward
      Anonymous Coward

      Re: Moved house?

      The letter states that you will have to supply some information to set the services up.

      I read that and instantly thought "are you having a fucking laugh?", I'm going to give you more information when you couldn't keep my other information safe. You have more chance of finding a completely secure, robust, useful and profitable IoT device.

    3. Velv
      FAIL

      Re: Moved house?

      Equifax are useless with addresses.

      They cannot agree that I'm on the Electoral Roll since the Electoral Roll in Edinburgh doesn't use the Postcode Address File (it uses the Rates valuation scheme of old).

      Experian and Callcredit both managed to put together all the records, Equifaxs response was "get your bank to change your address"

  3. Anonymous Coward
    Anonymous Coward

    Time to

    severely fine the managers and not out of the corporate pot.

    Out of their own wages so that have some idea what it is like to have your fucking account emptied through no fault of your own.

    1. Aitor 1

      Re: Time to

      Err, no, prison.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time to

        I personally would put the whole management team in the clink,seize the personal assets of everyone who profited from the decision to ignore their responsibility to the data owners, staff, shareholders family members you name it, everyone who got a cut in exchange for exposing a large part of the western world.

        They did this for money and so that is how you must punish the majority so that in the future,others who care only for "the bottom line" know that the decision to ignore security is too expensive to consider repeating.

        For a f*kup of this order the company and all data collected needs to be destroyed along with any copies of the data held by "third parties", a clear message to everyone else in their market that it means their ass if their security get breached.

        1. Halfmad

          Re: Time to

          You'd end up jailing innocent people.

          We need out financial regulators to have tie-in powers with the police to enable seizing of company assets/e-mail servers and accounts quickly, then using that along with paperwork to identify the guilty parties. Not simply jailing people because of their post within a company.

          In every company there are good and bad people, we need to ensure the good ones remain to change company culture.

  4. This post has been deleted by its author

  5. ShortLegs

    Christ, you had one job to do. Identify the individual. Now you are saying that you cannot notify individuals, because you cannot guarantee you can identify them?

    If that is not sufficient grounds to revoke their licence, God knows what it would take.

  6. adam payne

    'The FCA is content to accept Equifax's figures for the number and details of records exposed but still has questions about how long it took Equifax to come up with these figures.'

    Why would anyone accept the word of Equifax?!?

    What's the betting the number changes in the next month.

  7. Anonymous Coward
    Anonymous Coward

    Equifax you are a bunch of fuds.

  8. Anonymous Coward
    Anonymous Coward

    re: Equifax : I think it has all been said

    re: UK regulatory response : Why on earth is Equifax allowed to come with this feeble, insufficient, late, lacking response? Our laws and regulations that weak - or are we just going to believe Equifax when they say: Sorry, but there wasn't really anything there.

    1. Anonymous Coward
      Meh

      Our laws and regulations that weak?

      Why on earth is Equifax allowed to come with this feeble, insufficient, late, lacking response? Our laws and regulations that weak - or are we just going to believe Equifax when they say: Sorry, but there wasn't really anything there.

      Because the FCA have no big stick with which to beat Equifax Inc with, since it is not a UK company? I imagine the FCA only has powers over the UK subsidiary, not the far more substantial US corporation. It's probably a bit like having the power to summon your pet hamster to answer for your activities. Possibly quite scary for the hamster, but it isn't going to hurt you much.

      1. Anonymous Coward
        Anonymous Coward

        Re: Our laws and regulations that weak?

        > Because the FCA have no big stick with which to beat Equifax Inc with, since it is

        > not a UK company? I imagine the FCA only has powers over the UK subsidiary, not

        > the far more substantial US corporation.

        Indeed, it'd be the organisation known as Equifax Limited (formerly Equifax Plc), which made around £24m in pre-tax profit mon £115m of income last year, which they'd have powers over (as Equifax US isn't trading in the UK). The FCA/PRA do have fairly severe powers available to them, including licence revocation, banning individuals from workng in the sector, and custodial sentences for senior managers (if they chose to use them, and upon successful prosecution, obviously)...

  9. Warm Braw

    The phrase "you had one job" comes to mind...

    They made a net return of about 15% on a turnover of about $3bn last year. That's their one job.

  10. Anonymous Coward
    Anonymous Coward

    I'm calling bullshit on the data accessed and the numbers affected, both myself and my partner received the letter yesterday.

    Name/DOB/Telephone number.

    It's very unlikely that they segmented other data securely from the database accessed, especially the address.

    It's OK though because I will keep this letter and Equifax can be accountable for any clean up of credit file that needs to be done if someone uses our name to get credit.

  11. Zippy's Sausage Factory

    It's time to say to banks "do business with Equifax, anywhere in the world, lose your UK banking licence".

    Put them out of business.

  12. Anonymous Coward
    Anonymous Coward

    I last had dealings with Equifax two years ago when they decided that my father was now the occupant of my house due to their crappy data matching.

    No improvement from 17 years before when they decided that I should have some random's defaulted catalogue debt attached to my file because we shared the same surname.

    Bunch of incompetent morons.

  13. Version 1.0 Silver badge
    Facepalm

    Who Cares?

    If it was up to me, I'd shut the company down in the UK and forbid anyone to do business with them. If these companies face no real problems after loosing everyone's data why should they care? Shut them down and maybe the other companies will notice and start to care about security.

  14. Commswonk

    WTF..?

    Equifax said it began notifying the customers most exposed by letters posted on October 13. "Consumers who have potentially had their driving licence numbers or...

    Two points spring to mind: firstly are they only notifying those "most" exposed? What about those "slightly" exposed? Secondly, how the hell did Equifax get hold of Driving lIcence numbers, and why? Were they willingly handed over by the owners themselves?

    I fnd myself wondering if the FCA and ICO should be laying down the law and stipulating what data may be requested (and thus stored ready for later theft) and what data must not. Exactly how Equifax obtained this (sort of) information must be the subject of a specific enquiry. What else was sitting there pending misappropriation?

    1. Martin Audley

      Re: WTF..?

      Probably obtained via credit checks made by car hire companies?

      Still doesn't explain why they needed to keep that information though.

      It would breach Data Protection Act clauses straight away if the information was kept just for the sake of it.

      1. Commswonk

        Re: WTF..?

        Probably obtained via credit checks made by car hire companies?

        Sounds doubtful; if I pay for a hire car - or anything else for that matter - by credit card then what credit check would be needed? The CC company decided I was a good risk, and the car hire company has no need to conduct further checks.

        Doesn't mean they don't though, but if that was going on I would hope that the FCA / ICO would step in and tell them to stop it on data protection grounds.

        1. Anonymous Coward
          Anonymous Coward

          Re: WTF..?

          > Probably obtained via credit checks made by car hire companies?

          >

          > Sounds doubtful; if I pay for a hire car - or anything else for that matter - by credit card then what

          > credit check would be needed? The CC company decided I was a good risk, and the car hire

          > company has no need to conduct further checks.

          If you let someone drive your vehicle without taking all reasonable measures to ensure that they are legally entitled to do so (licence, insurance), you are liable to prosecution as a result. Car hire companies generally will ask to see your driving licence to head off this liability. Doesn't mean that they have any busines forwarding it to the credit agency, though.

      2. Brenda McViking

        Re: WTF..?

        Driving licence numbers will have been harvested from people trying to get car insurance quotes and passed to equifax for insurance fraud checking, and that will be their excuse for keeping it until year infinity + 1. I notice the usual suspects on the price comparison websites tempt you into giving driving licence numbers for "better quotes."

        An example needs to be made of Equifax. I think the last 10 years of their UK subsiduaries' profits is a good starting figure for a fine for criminal negligence, ought to bring the risk-reward ratio into the realms of reality, rather than the current situations of no risk, all reward for profiteering from our data.

  15. Mr Dogshit

    "revoke its right to operate in the UK"

    Do it. And kick out Experian and the third outfit.

  16. Kyorin

    CallCredit Noddle are terrible too.

    Call Credit refused to remove erroneous data from my Credit Report depsite me having provided them with all the evidence they had asked for. It was only when I contacted the Financial Ombudsman and they got involved that it got cleared up. I then was paid compensation by CallCredit themsleves, and also Cabot Financial who also refused to stop chasing me for someone else's debt. Simialr situation with Liverpool Victoria, however they repsonded very quickly when I pointed out their error, and offered me £250 as an apology.

    1. VinceH

      Re: CallCredit Noddle are terrible too.

      I keep reading 'Noddle' as Noddie - which, mis-spelling of Big Ears' mate's name aside, sounds like it could be right.

  17. Anonymous Coward
    Anonymous Coward

    Solution

    Its a requirement for a financial institution to check when a new customer is taken on to ensure their details are correct, to prevent fraud etc. However, doing this via a third party is idiotic, there have been cases where people cannot open accounts because the third party organisation has effective data.

    Then we have the issue where they loose data to hackers.

    Bonafide financial organisations, vetted by the FCA, should allow inter financial organisation verifications, cutting out the third party organisations completely. There is no need for these organisations.

    BTW aren't Equifax involved with HMRC in some new contract?

    1. Anonymous Coward
      Anonymous Coward

      Re: Solution

      oops, for effective read defective

  18. Anonymous Coward
    Anonymous Coward

    Me too..

    Yep got the Equifax missive.

    Mine is the same as the above letter, apparently my name, DOB and tel num have been splurged. What redress do I have aginst these f**kwits for their ineptitude?

  19. Andrew Barr
    Coat

    GDPR

    Is there much use for GDPR if companies like TalkTalk and Equifiax have already released everyone's information? Can companies state that future breaches dont matter as much as the information is already in the public domain?

    Mines the one with the list of everyone's name and addresses in the pocket

  20. a_yank_lurker

    Lucky Blighters

    Equinefax has not sent any letters to anyone over here yet. So count yourselves lucky they are sending a letter.

  21. Roj Blake Silver badge

    Addresses

    If Equifax can't guarantee that the addresses in their database are correct, then what's the point of using them as a credit reference agency?

    1. Captain Badmouth
      FAIL

      Re: Addresses

      More to the point, as mentioned above, why aren't they double-checking their records before sending out letters?

  22. Potemkine! Silver badge

    Nothing will happen for Equifax

    Thus human courts acquit the strong,

    And doom the weak, as therefore wrong.

    At worst it will get a small fine compared to its revenue, but nothing more. There are too many interests, too much money involved.

    Justice is harsh only for the small ones.

  23. 2Fat2Bald

    Should be as simple as this. You need a licence to hold personal data. It can be revoked. If it IS revoked, you need to delete the personal data as you are no longer considered fit to hold it.

    Not really that complex. Of course anyone relying on data from someone who didn't have a licence to hold it would be on VERY Dodgy ground, legally.

    Which would basically screw their business model completely. Which is what they deserve for this.

  24. SAdams

    The reality is probably that everyone who has ever had a loan / mortgage etc is in the leaked data. Their story doesn’t seem to make sense ...

  25. JLV

    Canada's still being fed the low numbers bullshit by Equifax claiming that only 8000 people were affected.

    Yup, pull the other one.

    We need a category of criminal or civil law that makes it possible to go after the personal assets, trigger dismissal, or even send to jail executives that commit gross negligence during the carrying out of their duties. A company might be guilty but the problem is that these folk can cash out on bonuses during the years that their bad decisions inflate profits. And, then, at worse they get a gold parachute to ease their way out and their successors and company staff are left to deal with the mess.

    So to keep these folks honest, you need the possibility of personal losses, not just the certainty of gains when they game the system.

    That goes for anyone in the Equifax executive decision chain that under-budgeted their security systems, if that is proven to be the case.

  26. charlie-charlie-tango-alpha
    FAIL

    Don't bother 'phoning

    I got one of these missives, as did my wife. I've tried calling the "helpline" (largely to vent my spleen rather than in the hope of any real action) only to be met with the usual robotic: "Thank you for calling Equifax, please choose from one of the following three options". Option 1 is the one you need if you are calling about their "data breach service" (nice name, sounds like a new product). Pressing that number reults in the repetition of the same message. As does pressing any other bloody number.

    So they can't even get a fucking answer system robot to function correctly.

  27. jaycee331

    Fight Back

    For any of you familiar with the basic principles of the data protection act, please humour this theory.

    1] Any UK co. I do business with as a statutory duty of care to protect my PII

    2] I have no legal relationship with Equifax, so they’re not accountable to me. But any company I have a relationship with, who shares my data with Equifax, are.

    3] Equifax have categorically been proven not to be competent and secure data processor

    4] As a UK citizen, my data had no business being visible through a US website

    So what would happen if I write to all my bank and utilities stating that they are in default breach of the DPA and I prohibit them from sharing any more of my data with Equifax.

    Should they continue to do so, they are in further breach of the DPA to continue to expose my data to a third party that is no longer trustworthy or competent.

    A further angle would be anyone wanted to switch suppliers and get out of contract early, could they claim breach of contract and walk – contract voided by the supplier because they have failed in their implied or explicit duty of care under the DPA.

    Wishful thinking???

  28. MMannoyed

    Questions about the letter

    A letter from Equifax has arrived today: my date of birth and tel no were hacked in May.

    Query:

    1.Why is this 6 months late?

    2.Why offer to set up a Protect service by phone, then tell me when I call that it must be done online?

    3.Why would I hand you more credit card and bank details so that you can 'protect' them?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like