A further 167,000 victims of the Equifax data breach will receive a warning from the firm, indicating the May 2017 hack may have left them at greater risk of fraud.
The latest wave comes after the firm previously wrote to 693,000 UK individuals thought to be most at risk – taking the total number of UK warning letters to over 860,000.
The credit reference agency says it has decided to write to thousands more victims whose landline telephone numbers were already published in public telephone directories but were accessed as part of last year’s cyber-attack.
Which? has already highlighted confusion and alarm caused by the letters, which fail to explain who Equifax is or why it holds victims’ data.
Equifax data breach: 15.2m Brits affected
In May this year, Equifax announced its data had been access by hackers in a cyber-attack. Some 15.2 million UK client records were compromised, and Equifax initially wrote to 690,000 UK consumers who are likely to have had sensitive details stolen.
These include email addresses, passwords, driving license numbers, phone numbers and partial credit card details.
This latest announcement reveals that a further 167,000 had their telephone numbers stolen in the attack.
The warning letters offer free identity-monitoring services aimed at spotting impostor applications for credit cards and bank accounts.
- Find out more: My data has been lost – what are my rights?
Why Equifax has victims’ data
Equifax has confirmed that just 3% of the 693,000 worst-hit victims were its direct customers. Many of the victims may have never dealt with – or even heard of – the firm before.
How is this possible? As a credit reference agency, Equifax receives personal data from banks and financial institutions whenever someone applies for a bank account, mortgage or credit card.
Consent for this is usually included in the application terms and conditions, meaning Equifax may hold data on you even if you’ve never dealt with it directly.
It uses this data to generate your credit reports and score. Lenders then use these to decide how much of a risk you are before they approve your application.
As a result, Equifax’s only direct customers are the tiny minority who have transacted with it by purchasing a credit report or identity-monitoring services.
How to verify your letter
If you receive a letter regarding the Equifax data breach, and you’re not sure if it’s genuine, call Equifax on 0800 587 1584 to confirm the letter is genuinely from them.
If the letter is telling you to call a number other than the one above, it may be a scam.
- Find out more: How to avoid postal scams – our guide to spotting dodgy letters
Should you accept the free identity monitoring services?
If your data has been breached, you may be at heightened risk of identity fraud. To combat this, Equifax is offering its worst-affected UK customers free services which monitor whether your identity has been compromised online.
It’s also offering Cifas Protective Registration – a third-party service which prompts banks to conduct extra identity checks when they receive an application in your name.
If you are concerned about the security of Equifax’s own products, you can opt to be enrolled in Cifas’s service instead – however you will still have to give some personal information to Equifax so it can enrol you for free.
It is possible to enrol directly through Cifas, though this will attract a £20 charge (for two years’ cover).
You can find out more in our guide on what to do if your data is lost or stolen.