US credit agency Equifax has revised up the number of customers in the UK whose personal information was stolen by hackers earlier this year.
It announced yesterday evening that 694,000 UK customers’ data was breached, more than three weeks after saying the hack had affected fewer than 400,000.
The US firm suffered a massive cyber attack between May and July, when hackers may have stolen more than 145 million Americans’ data.
In its latest statement Equifax said it would write to affected customers in the UK to offer help to “minimise any risk of possible criminal activity”.
Besides the near 700,000 people whose data was stolen, hackers may have accessed up to 14 million UK records containing names and dates of birth.
Equifax said the 694,000 affected customers could be split into several groups: 637,000 people’s phone numbers were stolen, 29,000 people’s driving licences were stolen and 12,000 people’s email addresses were stolen.
A further 15,000 had some of their Equifax.co.uk membership details, including usernames, password secret questions and answers and partial credit card details, stolen.
Patricio Remon, president for Europe at Equifax, said: “Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act. Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.
“It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.
The credit agency confirmed last month that the breach was caused by a failure to patch a software vulnerability. While Equifax UK’s systems were not affected, a “process error” led to some British data being held in the US, the firm said.
A spokesperson for the National Cyber Security Centre said the breach had raised fears criminals may use the personal information to launch phishing attacks:
Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as:
“To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number.”