According to Brian Krebs in his excellent blog, Krebs on Security, 693,665 UK Residents data has been stolen. That is over 1 in a 100 UK residents. Not an insignificant number.
Krebs says “In a recent statement, Equifax said it would notify 693,665 U.K. consumers by mail that their personal information was jeopardized in the breach. This includes:
- 12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed.
- 14,961 consumers who had portions of their Equifax.co.uk membership details — such as username, password, secret questions and answers, as well as partial credit card details — accessed
- 29,188 consumers who had their drivers license numbers accessed
- 637,430 consumers who had their phone numbers accessed
The numbers include data that Equifax held on U.K. consumers as far back as 2011, the company said. Equifax did not say whether any of the above-mentioned data was encrypted.”
No mention of encryption would lead me to believe that it was not secured in that way, otherwise the company would surely release that information in an effort to allay consumers fears.
At the same time that this is happening the NCSC (National Cyber Security Center) has issued warnings to consumers to be wary of phishing attacks made to look like communications from Equifax about the breach.
“Another risk to UK citizens affected by this data breach is that they could be on the receiving end of more targeted and realistic phishing messages,” the NCSC wrote. “Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as: ‘To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number’. These phishing messages may be unrelated to Equifax and may use more well known brands. It is unlikely that any organisations will ask their customers to reset security information or passwords as a result of the Equifax breach, but this may be a tactic employed by criminals.”
As if this were not enough, additionally we have seen Spyware being served to users on one of Equifax’ credit assistance web pages via a fake Adobe Flash download. Does the nightmare never end for the consumer?
Brian Krebs ultimate analysis of the situation was on the button, as he commented:
“Equifax has been widely criticized for continuously bungling their public response to this still-unfolding data disaster, and today’s update about the extent of the breach in the U.K. was no exception. The Equifax Web site that hosts today’s press release serves “mixed content,” meaning it includes elements that are served over both encrypted and unencrypted pages. The practical effect of this varies depending on which browser you’re using, but some browsers will display a security warning when this happens.”
You would think lessons would be learnt and quickly by a company that has come unstuck through massive amounts of data being breached via a publicly available consumer dispute portal that allegedly had:
- Weak authentication
- Was unpatched
- Was unencrypted
Though apparently at the time of writing, Equifax has just such a consumer dispute portal in Argentina that is only protected by a username and password of admin/admin.
This one could just run and run.