UK Treasury Committee chairman calls on Equifax to answer for breach omnishambles

Equifax may soon face the wrath of UK politicians after the chairman of the country's House of Commons Treasury Committee demanded answers from the firm over its handling of its recent data breach.

Nicky Morgan MP has written to the chief executive of Equifax Limited asking for further details about the scale of the breach, and what compensation it will provide. Morgan has also written to Andrew Bailey, chief executive of the Financial Conduct Authority (FCA), for his assessment of Equifax's response to the incident, and whether the finance watchdog is considering further action. Equifax's UK business is authorised by the FCA.

On September 7, Equifax admitted a cybersecurity incident had affected 143 million (later revised upwards to 145 million). The breach, centred on US systems and blamed on the firm's failure to apply an Apache Struts patch, also affected 400,000 Brits, the credit reference agency said on September 15. On October 10, Equifax said it had underestimated the effect the breach would have on UK accounts, as previously reported.

It now estimates a file containing 15.2 million UK records dating from between 2011 and 2016 was compromised. Most of the contents were duplicates or test data so in real terms the private details of almost 700,000 people has been exposed. Equifax has promised to contact affected Brit consumers by post. The breach began in May 2017 and persisted until it was discovered in July. Equifax has had weeks to get a grip on its incident response but has messed up at every turn.

For example, Equifax's breach-handling website, equifaxsecurity2017.com, looked so unofficial and bodged that many feared it was a phishing site. The credit agency was obliged to drop terms and conditions that implied signing up for free credit monitoring in response to the breach would result in forfeiting rights to sue. A site designed to allow consumers to determine if their personal data had been breached (trustedidpremier.com) was found to return apparently random results instead of accurate warnings or assurances.

Security watchers were unimpressed by this and other developments – including attempts to blame the whole mess on a mistake by a single technician. The Treasury Committee chairman shares concerns that Equifax has mishandled the notification process.

"Equifax has taken too long to notify those affected by its widespread cybersecurity breach. People have been left in the dark for too long, which has increased the risk that they fall victim to identity theft and fraud," Morgan said. "It is particularly concerning that the breach occurred in a business that sells identity protection services, and is looking to take advantage of the commercial opportunities afforded by data-sharing initiatives, such as Open Banking."

It's not immediately clear whether Equifax will be called before the influential Treasury committee or some other Westminster committee. Recently departed Equifax chief exec Rick Smith appeared before the US House subcommittee on consumer protection earlier this month, where he spent much of his two-and-a-half hours attempting to justify why Equifax withheld news of the breach for weeks. He also blamed a single unnamed technician for missing the Apache Struts patch, as previously reported here.

Consumers have little to no choice about doing business with Equifax, whose services are used by third-party businesses to check credit scores. The firm also sells credit monitoring and fraud-prevention services directly to consumers. Exposing these consumers to increased risk of ID fraud as a result of one of the worst security breaches in history only compounds bad feeling against the beleaguered breach-hit bunch.

Just last night, security researcher Randy Abrams said he found what looked like a fake Flash Player Update redirect on the site. He included video here. It has 99 problems and, well ... perhaps Westminster had better take a number... ®