Hackers raided up to 15.2million personal records of UK consumers during a cyberattack on Equifax, in one of the worst security breaches in British history.
The attack means almost 700,000 people’s personal details could now be in the hand of criminals – in some case including credit card information, passwords and driving licence details.
Credit checking agency Equifax’s defences were overcome as long ago as May and the firm realised the scale of the problem at the end of July.
But it only started writing to the 700,000 UK victims last night, even though once of its own surveys shows people affected expect to be told within hours of a hack.
Almost 700,000 people’s personal details may now be in the hands of criminals after more than 15million in the UK were targeted by hackers
The business last night risked the ire of MPs and campaigners by offering no compensation to people who were caught up in the scandal through no fault of their own.
Instead, they are only being offered free use of Equifax’s own fraud protection products.
Tory MP Charlie Elphicke, a member of the Treasury Select Committee, said: ‘Equifax’s measly offer to the 700,000 people who may have had information taken is simply not good enough.
‘Who knows what internet crooks might do if they have got hold of people’s personal details.
‘Equifax have serious questions to answer about how they have handled this entire scandal.’
Liberal Democrat leader Sir Vince Cable said some Equifax customers should be offered compensation after more than 15million Britons were hacked
Liberal Democrat leader Sir Vince cable said: ‘Equifax should be offering people a choice.
‘If customers are perfectly happy to accept free services in lieu of payment that’s fine.
‘But if they decline to accept, they should be offered compensation.’
Equifax first revealed it had been hacked on September 7, saying that the data of 148million Americans had been breached.
It initially claimed that only 400,000 Britons were caught up in the hack.
But on Sunday, October 1 – 11 days ago – security firm Mandiant told bosses that their investigation had found the scope was far wider than first feared.
Hackers attacked a file containing 15.2million UK records from between 2011 and 2016, which had been legally stored on U.S. servers so their details could be used to test new products.
Equifax claims that much of this information is garbled and of no use to the criminals.
But it is writing to 693,665 consumers whose details were definitely exposed.
This includes 12,086 people who had an account on the firm’s website and whose email addresses were exposed.
Hackers got at another 14,961 account holders’ usernames, passwords and partial credit card details. And the driving licence numbers of 29,188 more consumers were also lost.
Labour MP Wes Streeting, who is a member of the Treasury Select Committee, accused Equifax of a total dereliction of duty
People in these three groups will be offered free use of Equifax’s anti-identity theft service.
If they no longer trust the firm, they will have to pay to use a service from a rival organisation.
The phone numbers of another 637,430 people were also seized.
Equifax said it will offer them free use of a ‘leading identity monitoring service’.
Hackers are likely to try any passwords they have gathered on other email accounts and websites to see if they can gain access.
Meanwhile phone numbers, email addresses and driving licences can all be used as part of efforts to impersonate another person and take out loans or open bank accounts in their name.
As a credit checking service used by banks to assess whether they should lend someone money, the business holds details on everybody in the UK whether they signed up to it or not.
Previous raids resulted in nearly 157,000 customer details being taken from broadband business TalkTalk
Many of the hacking victims may well have had no idea their personal information was in the hands of the U.S. business.
Equifax’s Europe president Patricio Remon said: ‘Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act.
‘Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.
‘It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.’
Bosses have previously faced fierce criticism for taking months to write to British victims.
Labour MP Wes Streeting, a member of the Treasury Select Committee, last week blasted the firm for a ‘total dereliction of duty’.
Although the hack is not the largest, the fact crooks were able to strike at a company which holds such sensitive information will raise questions about the details kept online by banks and other finance firms.
Any punishment will be decided on by the Information Commissioner’s Office watchdog.
A total of £2.5million was stolen from around 9,000 customers of Tesco Bank last year when it was hacked
It has the power to fine firms up to £500,000 – a figure dwarfed by Equifax’s £370million profit last year.
The debacle is particularly ironic because the company claims to be a leading authority on cyber security.
In a survey last year, the business found that 63 per cent of a company’s customers expect to be told about a data breach within hours.
Previous raids have seen nearly 157,000 customer details taken from broadband business TalkTalk, while £2.5million was stolen from around 9,000 customers of Tesco Bank last year.
The scandal has triggered a furious reaction in the US, leading to the resignation of chief executive Richard Smith lost his job over the scandal, along with the firm’s information and security chiefs.
Several other Equifax executives are facing an insider trading probe for selling £1.5million of stock after the breach was discovered but before it was announced to the world.
They all deny wrongdoing.
A spokesman for the Information Commissioner’s Office said: ‘We continue to investigate what happened at Equifax and how UK citizen’s information came to be compromised.
‘It is a complex and fast-moving case and we are working closely with other UK regulators and our counterparts in Canada and the US.
‘We have been pressing Equifax to confirm the scale and any impact on UK citizens and, from the outset, we advised the firm to alert and support victims.’