Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Equifax UK Breach Notification Demands Victims' Details

Data Broker That Mishandled Brits' Data Now Demanding More Data to Protect Them Mathew J. Schwartz (euroinfosec) • November 29, 2017

Fool me once, shame on you. Fool me twice, shame on me.

That's the situation facing victims of Equifax's massive data breach, who are being offered identity theft or fraud monitoring services from the data broker (see Equifax: 15.2 Million UK Records Exposed).

Unfortunately, this is a normal state of affairs in the United States, where Equifax says 145.5 million consumers' information was also exposed by the breach, which occurred in March and wasn't detected until late July.

In the United States, data brokers who get breached are under no obligation to offer their breach victims identity theft monitoring services from a competitor, and Equifax is not the only offender (see Experian Faces Congressional Scrutiny Over Breach).

Now British breach victims are being given the chance to trust their anti-fraud monitoring to the very same business that lost their information in the first place.

In recent weeks, 700,000 U.K. residents have begun receiving letters from Equifax that offer them free enrollment in an anti-fraud service. Equifax is the second-largest U.K. data broker, following Experian (see Equifax CEO: 'We Will Make Changes').

But there's a catch: To enroll in any of the Equifax fraud-detection programs on offer, U.K. victims must share their personal information with the data broker, including their name, address, date of birth and email address, followed by creating security questions, reports the consumer-focused Money Saving Expert website.

In other words, to better protect breach victims, Equifax - which lost their information in the first place - wants those victims to trust it with more personal data.

Do breach victims trust Equifax? In the words of Alan Woodward, a professor of computer science at the University of Surrey, who's received a "you've been an Equifax breach victim" letter from the data broker: "I think not."

After months Equifax writes to me to say my details have been compromised, even though I've never been a customer. Their solution? Give them more personal data to use one of their "free services". I think not. https://t.co/DxQTuswFcc
— Alan Woodward (@ProfWoodward) November 24, 2017

Both the U.K. Financial Conduct Authority, which regulates retail and wholesale financial services firms, and the Information Commissioner's Office, which is the U.K.'s privacy watchdog, are reportedly probing Equifax's handling of its post-breach fraud monitoring offer to its breach victims.

Congratulations: You're a Victim

As with U.S. victims of Equifax's data breach, until they receive Equifax's letter, U.K. breach victims may not even know what personal details the data broker was gathering, storing or selling. It's an infuriating turn of events for many consumers, who were - unbeknownst to them - Equifax's product. But the data broker's cybersecurity problems have turned those products into data breach victims through no fault of their own.

The ICO can impose fines of up to £500,000 on organizations that violate privacy rules or mishandle people's personal data. But once enforcement of the EU's new General Data Protection Regulation, or GDPR, begins in May 2018, EU privacy watchdogs will gain the ability to impose fines of up to 4 percent of a company's global annual profits, or €20 million ($23.5 million) - whichever is greater.

Contrast that to the United States, where the Republican-controlled Congress has signaled that it does not plan to pass a federal breach-notification law to replace the patchwork of 48 state laws now in place. Beyond getting notified about breaches and potentially offered identity theft monitoring services, however, consumers have few other rights or ways to seek compensation. Most U.S. class-action lawsuits filed over breaches fail because consumers cannot prove "harm" through direct and uncompensated financial loss (see Equifax Faces Mounting Anger, $70 Billion Lawsuit).

While various Congressional committees have called current and former Equifax officials to testify, if past data breaches and lawmakers' response is any guide, nothing will change, and Equifax's stock price will return to normal next year (see Cynic's Guide to the Equifax Breach: Nothing Will Change).

In the meantime, Equifax breach victims get to keep looking over their shoulders in case fraudsters use their purloined data to commit identity theft or other types of fraud.

What types of personally identifying information may have gone missing for U.K. breach victims? "The data Equifax holds comes from four main sources - the publicly available electoral roll, court records, previous credit searches and account data shared by banks, building societies, utility companies and other organizations," Money Saving Expert says. For anyone who signs up for its anti-fraud service, however, the data broker will know even more.