Equifax Hackers Stole Info on 693,665 UK Residents

By LCC,

  Filed under: Latest From Krebs

Equifax Inc. said today an investigation into information stolen in the epic data breach the company disclosed on Sept. 7 revealed that intruders took a file containing 15.2 million UK records. The company says it is now working to inform 693,665 U.K. consumers whose data was stolen in the attack.

equihaxPreviously, Equifax said the breach impacted approximately 400,000 U.K. residents. But in a statement released Tuesday, Equifax said it would notify 693,665 U.K. consumers by mail that their personal information was jeopardized in the breach. This includes:

-12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed.
-14,961 consumers who had portions of their Equifax.co.uk membership details — such as username, password, secret questions and answers, as well as partial credit card details — accessed
-29,188 consumers who had their drivers license numbers accessed
-637,430 consumers who had their phone numbers accessed

The numbers include data that Equifax held on U.K. consumers as far back as 2011, the company said. Equifax did not say whether any of the above-mentioned data was encrypted.

Meanwhile, the U.K.’s National Cyber Security Centre is warning residents to be on their guard against phishing attacks made to look like communications from Equifax about the breach.

“Another risk to UK citizens affected by this data breach is that they could be on the receiving end of more targeted and realistic phishing messages,” the NCSC wrote. “Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as: ‘To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number’. These phishing messages may be unrelated to Equifax and may use more well known brands. It is unlikely that any organisations will ask their customers to reset security information or passwords as a result of the Equifax breach, but this may be a tactic employed by criminals.”

ANALYSIS

Equifax has been widely criticized for continuously bungling their public response to this still-unfolding data disaster, and today’s update about the extent of the breach in the U.K. was no exception. The Equifax Web site that hosts today’s press release serves “mixed content,” meaning it includes elements that are served over both encrypted and unencrypted pages. The practical effect of this varies depending on which browser you’re using, but some browsers will display a security warning when this happens.

That mixed content error may have something to do with a missing image in the press release. That press release was supposed to include an image that breaks down what exactly was stolen from U.K. residents — as detailed in the bulleted list above — but apparently the graphic was either removed or moved pre- or post-publication. Here’s what the press release looks like in Firefox (Equifax still hasn’t fixed this):

eq-uk-ff

In Chrome:

eq-uk-chrome

In Internet Explorer:

eq-uk-ie

It’s fairly terrifying when you realize that a company which can’t even issue a press release without managing to omit the most important piece of information in it wields so much power over consumers. Nothing says ‘we care about your security and privacy’ like a message which warns “you got hacked!” and then fails to tell you what that actually means.

I’ve been spending quite a bit of time looking at Equifax’s various Web properties over the past few weeks and I have to say it gets scarier the more I look. First it was the discovery that Equifax’s consumer dispute portal in Argentina was protected by nothing more than the username and password “admin/admin.” It’s worth noting that, as mentioned countless times by Equifax’s former CEO in front of several congressional committees last week, the breach of sensitive data on 145.5 million Americans began with lax security at just such a dispute portal (the company declined to say which).

Earlier this week I pointed out that the company’s TALX Web site made it trivial to find the salary history of large chunk of the American population, armed with nothing more than someone’s date of birth and Social Security number (both data points, by the way, that were stolen on 145.5 million Americans, thanks to Equifax). The company responded by taking the site offline a few hours after that story ran on Sunday. That site is still “under maintenance,” according to Equifax.

While Equifax has stressed that it will offer free credit monitoring services to victims of its own breach, it is still using the entire incident to drive traffic to areas of its consumer business that make the company oodles of money, such as “FREE* credit report & score” services for only £14.95 per month. It’s impossible to understand how Equifax could fail to notice the atrocious optics here, unless of course it really doesn’t care.

Equifax.co.uk

By the way, if you’re somehow just tuning in to news about this breach, don’t sweat it: Here’s a Q&A that explains what’s at stake and what you should do.