More details are emerging from the recent Equifax data breach that impacted approximately 143 million U.S. consumers. The attackers exploited the CVE-2017-5638 Apache Struts vulnerability that was fixed back in March, but the company did not update its systems, a thesis that was also reported by an Apache spokeswoman to the Reuters agency.
Now the UK division of the credit reference agency has revealed that 400,000 UK people were affected due to a “process failure,” but the systems of the company in the UK were not affected.
The platforms used by Equifax Ltd and TDX Group are “entirely separated from those impacted by the Equifax Inc cybersecurity incident.”
Unfortunately, the investigation revealed that there was unauthorised access to limited personal information for certain UK consumers, but hackers did not access financial data or credentials.
“Regrettably, the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.The information was restricted to: Name, date of birth, email address and a telephone number, and Equifax can confirm that the data does not include any residential address information, password information or financial data.” reads the Equifax UK.
“Having concluded the initial assessment, Equifax has established that it is likely to need to contact fewer than 400,000 UK consumers in order to offer them appropriate advice and a range of services to help safeguard and reassure them.”
According to the company, the UK consumer data that may have been stolen does not include “any single Equifax business clients or institution.”
The Information Commissioner’s Office (ICO) ordered Equifax to alert British customers following the incident.
“Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised,” ICO deputy commissioner James Dipple-Johnstone said.
“We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber-attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”
Equifax will notify the affected UK customers offering them an identity protection service for free.
The service will monitor any suspicious activity about possible misuses of victim’s data, including monitoring of web and social media information.
“We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward.” said Patricio Remon, Europe president at Equifax Ltd.
The company is still investigating the incident.
(Security Affairs – Equifax data breach, cybercrime)