The data of around 400,000 people in the UK may have been accessed when US credit agency Equifax suffered a massive data breach over summer.
The firm had previously disclosed that up to 143 million Americans’ data may have been exposed after hackers exploited a software vulnerability.
On Friday, Equifax said UK consumer data may also have been accessed due to a “process error” that led to some British data being held in the US.
It said in a statement emailed to NS Tech:
Equifax Ltd. (UK) can now confirm that UK systems are not affected. Equifax Ltd. and TDX Group systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident.
Regrettably the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.
The firm said it would need to contact fewer than 400,000 UK consumers to offer advice and services to “help safeguard and reassure them”.
The potential breach of UK consumer data includes names, dates of birth, email addresses and telephone numbers, according to Equifax, but no residential address information, passwords or financial data.
The credit agency confirmed earlier last week that the breach was caused by a failure to patch a software vulnerability. It also revealed on Friday that its chief information and security officers would be retiring.
The National Cyber Security Centre said the breach had raised fears criminals may use the personal information to launch phishing attacks.
Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as:
“To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number.”
These phishing messages may be unrelated to Equifax and may use more well-known brands. It is unlikely that any organisations will ask their customers to reset security information or passwords as a result of the Equifax breach, but this may be a tactic employed by criminals.