Which? uses cookies to improve our sites and by continuing you agree to our cookies policy.

Equifax data breach hits 143m customers

Majority of victims are U.S-based but some UK residents also affected

A small portion of UK customers are likely to be affected by the cyber-attack on credit monitoring company Equifax, it has been confirmed. 

Yesterday, Equifax announced that criminals had exploited a weakness in its website to gain access to the private data files of around 143 million customers, including names, social security numbers, birth dates, addresses and in some cases drivers’ license numbers. The hackers also stole credit card details for approximately 209,000 customers and personal identifying information from approximately 182,000 customers.

The company confirmed that the majority of those affected were based in the United States, but warned that ‘limited data’ from some customers in the UK and Canada had also been compromised.

The Information Commissioner’s Office is currently working with Equifax to establish the extent to which UK customers were affected.

Subscribe to Which? Money Weekly

A free newsletter from Which? Money Compare offering unmissable news, deals and money-saving tips delivered to your inbox every week.

Register here

Newsletters

Data breaches in numbers

The Equifax data breach is the latest in a slew of cyber-attacks against major corporations. Although this breach hit U.S customers hardest, previous attacks on other corporations have affected huge groups of UK customers.

The table below lists some of the most recent cyber-security breaches involving the British public.

Company targeted Timeframe Numbers of people affected Nature of attack
Debenhams Flowers May-17 26,000 A malicious computer program accessed payment details, names and addresses of customers
Wonga Apr-17 250,000 Hackers were able to access customer records, bank account details, sort codes, addresses and phone numbers
Three Mar-17 130,000 Fraudsters hacked the phone upgrade system to acquire new handsets
Tesco Bank Nov-16 9,000 The bank accounts of 9,000 customers were drained, amounting to losses of £2.5m
Sports Direct Sep-16 300,000 The company’s staff portal was illegally accessed, exposing staff members’ personal information

Find out more: can I stop companies using my data? – our guide to dealing with companies using your data

What to do if your data is compromised

During a cyber-attack, a criminal will typically seek to access to a company’s database by exploiting an online gateway, stealing password information, or deploying a malicious program. In most cases, hackers are hoping to profit from sensitive customer information – for example, by stealing credit card details, using personal information to commit identity fraud, or ransoming the data back to the company.

Companies in the UK are obligated to protect customer data under the Data Protection Act. Those who fail to take appropriate steps could face severe penalties. The Information Commissioner’s Office can impose fines of up to £500,000, and pursue prosecution for the most severe breaches.

When new EU data protection regulations kick in on 25 May 2018, the upper limit for fines could rise to 20 million euros or 4% of annual global turnover – whichever is higher.

Find out more: Data Protection Act – how the legislation protects you

If you’re worried that a company is not properly dealing with your information, the ICO provides a template for raising a concern with the company. Alternatively, you can report a concern directly to the ICO, which has the power to launch an investigation into the company’s information handling practices. The ICO urges the public to make complaints within three months of their last contact with the company.

You’re also entitled to request for an organisation to reveal the information it holds about you by making a Subject Access Request – which you can do by writing to the company directly. Organisations have 40 days to respond and are required to provide you with any personal information they currently hold, though some exceptions apply.

In the worst case scenario, where your data has been compromised, and you suffer damage as a result, you can claim compensation for your loss. Unless the company agrees to pay a settlement, you’ll need to file a claim in court. Before doing so, you can ask the ICO to assess whether, in its view, the company breached its obligations under the law. You can then submit this letter as evidence in court, though the courts are not obliged to agree with the ICO.

After a data breach, you should also take the following steps to protect yourself:

  • Change your passwords on any online accounts holding sensitive information.
  • Contact your financial providers – including mortgage, current account and debit card providers – to make them aware of the potential breach.
  • Check your credit card statements carefully in the following months to monitor unusual or unauthorised activity.
  • Check your credit score and report any discrepancies directly to the credit monitoring company.
  • Contact CIFAS – the Fraud Prevention Service – to apply for protective registration, which will trigger additional checks any time someone tries to open a financial product.
  • Keep an eye out for any questionable activity, such as mail you didn’t request, emails alerting you to password changes or other signs that someone may be using your identity.
Back to top