Equifax revealed in September this year that it suffered a catastrophic cyber-security breach between May and July. With recent revelations showing that the sensitive data of 15.2m UK consumers have been affected – a far higher number than the original estimate of 400,000 consumers — Nicky Morgan has written to the Equifax chief executive demanding more answers.
Among other questions, Morgan asked Equifax in her letter to clarify when Equifax became aware of the breach, why its originally estimate was so much lower than the updated number, how it planned to help individuals who have been put at risk of fraud, and what compensation the company plans to pay to those who do fall victim to fraud as a result of the breach.
Morgan said that: “Equifax has taken too long to notify those affected by its widespread cyber-security breach. People have been left in the dark for too long, which has increased the risk that they fall victim to identify theft and fraud.”
In March this year, Bloomberg News reported that Equifax had suffered a massive breach of its computer systems. On September 7th, the credit reference agency announced that another attack – possibly perpetrated by the same party responsible for the March incident – had occurred beginning mid-May, though the second breach wasn’t spotted until July.
Although the credit reference agency initially said “fewer than 400,000” UK consumers were affected, it emerged this week that 693,665 consumers had their data stolen – and a further 14.5m UK records, which contained only names and dates of birth, were compromised.
The company also denied in September that the compromised UK data included any addresses, passwords or financial information.
However, of the 693,665 UK customers affected, 15,000 members had their Equifax membership details compromised – which included passwords, secret questions and answers, in addition to partial credit card details.
“It is particularly concerning that the breach occurred in a business that sells identity protection services,” Morgan added, particularly given that Equifax is “looking to take advantage of the commercial opportunities afford by data sharing initiatives, such as Open Banking.”
Requesting a reply by the 24 October, Morgan said that if the Treasury Committee does not receive a full and timely response to her questions, the committee will “consider taking public evidence from Equifax.”
Morgan has also written to Andrew Bailey, chief executive of the Financial Conduct Authority, for his assessment of Equifax’s response, and whether the FCA is considering further action.