back to article UK financial regulator confirms it is probing Equifax mega-breach

UK financial service regulators have launched an investigation into Equifax over its handling of the recent mega-breach. In a brief statement on Tuesday, the Financial Conduct Authority (FCA), which could fine the firm or revoke its right to operate in the UK, said it was "investigating the circumstances surrounding a …

  1. This post has been deleted by its author

    1. katrinab Silver badge

      Re: What Exactly Was The Breach ???

      The "others" are Call Credit; and National Hunter which is owned by Experian and focuses on credit application fraud rather than credit scoring.

      Unless you are a young child, or a homeless person who lives off cash donations, Equifax has a file on you, and an unauthorised person has accessed it.

    2. Anonymous Coward
      Anonymous Coward

      Re: What Exactly Was The Breach ???

      > If this is correct, then the breach may affect even those who do not use the companies for checking their credit status.

      You are correct. Potentially there are people who have never touched the web nor the Internet in their lives whose details are out there.

      1. Anonymous Coward
        Anonymous Coward

        Re: What Exactly Was The Breach ???

        Have any evidence of this, or have you just got bored of hating Uber and moved to this week's fashionable hate figure?

        If you can confirm next week's hate target that would be great. I heard it was Google for making a pixel 2 handset with a faulty oled screen....

    3. Anonymous Coward
      Anonymous Coward

      Re: What Exactly Was The Breach ???

      Oh yes, they have all your data from,

      Any credit agreement.

      Any phone contract.

      Utilities.

      Banking data.

      Any company that uses a credit reference agency usually gives them data back to get a discount. This data includes all your personal info such as address, phone etc... and payment information such as when you pay a bill or if you miss a payment.The only people not in the data set are hippies that have lived in a self sustaining commune all their lives with 4 cows and a duck though the number of animals may vary.

      I had the pleasure of working on this at a new telecoms company back in the day when their sharing of information was set up, so I must assume it works the same for everyone else and if you view your credit file it's clear that it does.

      1. Commswonk Silver badge

        Re: What Exactly Was The Breach ???

        Time to stock up on popcorn, I suspect.

        It will be interesting to find out exactly what personal data has been vulnerable to theft; it may very well be that the organisations that have provided information to Equifax about each and every one of us have overstepped the mark on what is permissible.

        I have not applied for any form of "direct" credit for over three decades, although obviously "indirect" credit (such as utility payments) don't necessarily fall into that category.

        I would be horrified to find out that Equifax had my bank account or credit card details; there is no reason for them to have that information under any circumstances. All they need is my name and address (12 Coleridge Close, Climthorpe*) and that should be quite enough to identify me.

        It would be very interesting to find out if anyone has provided more than is strictly necessary about me (or anyone else) post the requirements of various Data Protection legislation. And should "excess information" about me have been deleted post that date?

        It could very well be that companies provided more information than was strictly necessary for a credit - checking agency to function; if that turns out to be the case I sincerely hope that they too are heavily censured.

        * Actually the address of one Reginald Iolanthe Perrin

        1. katrinab Silver badge

          Re: What Exactly Was The Breach ???

          They have the details of your credit card account. That is guaranteed. This information will include your credit limit, your statement balance every month, how much you paid of that balance every month, and how many months late (hopefully zero) you were in making the payment. They will have the details of your bank account if you have an overdraft facility. It will show the amount overdrawn if any, every month, or £0 if it is in credit. They will also have details of any telecommunications accounts unless it is BT, or a pay as you go mobile.

        2. Mark 85 Silver badge

          @Commswonk -- Re: What Exactly Was The Breach ???

          It's almost guaranteed that they have a file on you. Credit card, bank account number or at least verification of an account, insurance (car and home), any utilities, employment (and places you applied for employment) and the list goes on and on. Last time I checked the Big 3 here in the States, I was surprised at what they had. They knew more about me than I knew about me.

          As the article states, just about every company share info back with them.

        3. Kurt Meyer

          Re: What Exactly Was The Breach ???

          @ Commswonk

          Please accept this upvote for the Reg Perrin reference.

    4. Lee D Silver badge

      Re: What Exactly Was The Breach ???

      Just wait for GPDR to come through.

      They are going to have to seek EXPLICIT consent for absolutely everything they store, and it ain't going to go down well.

      Though bank accounts (without overdraft) wouldn't attract a credit check necessarily, everything else you list is... well... credit. (Which should always be replaced with the word "debt"... it's a "debt card". You bought your phone "on debt". etc.).

      Though they could legitimately claim that you gave your consent by applying for credit at the moment, it's not going to be pretty for them implementing GPDR, especially if the ICO etc. are sniffing around because of breaches like this.

      1. Anonymous Coward
        Anonymous Coward

        Re: What Exactly Was The Breach ???

        "They are going to have to seek EXPLICIT consent for absolutely everything they store, and it ain't going to go down well."

        Not everything - there is a "legitimate interest" exception. See:

        See https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/

        ..

        1. Doctor Syntax Silver badge

          Re: What Exactly Was The Breach ???

          Not everything - there is a "legitimate interest" exception.

          Nevertheless it raises a number of issues. If, under legitimate interest a data subject's bank passes data to a CRA who then gets breached what are the responsibilities of the bank? If it were they and not the CRA who had been breached then clearly they could expect to be fined under GDPR. But they decided they had a legitimate interest in passing on the data. Should they not still be liable?

          The data subject-facing business should remain liable under both civil and criminal law for any breaches further along the line, irrespective of how far the data gets passed. Apart from anything else it's the only way that the likes of Safe Harbour and Privacy Figleaf can be made to work. They should have to make judgements about the reliability of those to whom they pass data. It's not sufficient for data subjects to have to go to law in some other jurisdiction against a company with whom they have had no dealings although that should not preclude action under GDPR against all businesses in the chain.

          1. Anonymous Coward
            Anonymous Coward

            Re: What Exactly Was The Breach ???

            "The data subject-facing business should remain liable under both civil and criminal law for any breaches further along the line"

            Funnily enough this is exactly one of the things* that changes under GDPR. Under DPD-derived legislation, typically only the Processor who actually violates the law is liable. Under GDPR both the Controller and their subsidiary Processors are liable.

            There's a shitload of FUD and consultancy bullshit around GDPR, but honestly, at its core it is a pretty sane piece of legislation. I'd encourage everyone to go out and read, if not the entire law (it's not that long) then your local ICO's guidance on what the law practically means. You will probably find yourself nodding along thinking "Hrm, you know what, that actually kind of makes sense".

            *It's also worth noting that apart from this only two other things really change under GDPR. One is its scope, applying to any organisation that processes EU citizens' data regardless of where that organisation is. The other is the penalties involved, with fines of up to 4% of turnover. Almost everything else is pretty much the same.

      2. Anonymous Coward
        Anonymous Coward

        Re: What Exactly Was The Breach ???

        "They are going to have to seek EXPLICIT consent for absolutely everything they store, and it ain't going to go down well."

        This is a common misconception. GPDR, like the DPD before it, provides six Justifications for processing personal data. Consent is just one of those justifications. CRAs typically rely on:

        - Contractual necessity (e.g. your bank make it a condition of opening the account)

        - Legal obligation (e.g. compliance with fiduciary duty/due diligence legislation; remember they're a regulated industry)

        - Public interest (i.e. it's better for everyone if lending decisions are made on accurate information)

        and failing all else, the "legitimate interests" justification, but this is problematic as it requires a full privacy impact assessment rather than just a tick in the box.

        They neither need nor want your consent.

        1. Graham Cobb Silver badge

          Re: What Exactly Was The Breach ???

          As I said in an earlier thread, it is time we forced the credit reference agencies to clean up their act and severely limited their capabilities:

          Reform should mean that data kept must be limited to a small number of permitted categories, all recent and personal (not hearsay or "linked"), with the sources clear, and limited to clear factual data which can be easily either confirmed or refuted and immediately fixed without the co-operation of the source.

          Combine that with full control by the subject: full visibility not only of the data but history of all requests and responses (with future notifications if they wish) and full control over who may or may not make requests (able to be changed at any time).

          Yes, this would mean credit checks would be less conservative, and there would be more bad debt. But the world won't end.

  2. Anonymous Coward
    Thumb Up

    My advice to Equifax...

    ...is to offer an outgoing Government minister, and there will be plenty over the next few months, a nice easy non-exec director role - suitably remunerated. All problems gone!

  3. VinceH

    Optional

    "the Financial Conduct Authority (FCA), which could fine the firm or revoke its right to operate in the UK"

    Yeah, but in all likelihood they'll issue a light 'slap on the wrist' fine at most, and Equifeck will be able to continue as normal.

    I hope the investigation includes exactly how data stored in the US up to 2016 due to a 'process failure' that was supposedly fixed came to still be there in 2017. If I receive anything in the post from Equifeck to say I'm affected, my local MP will get a letter highlighting that very point - and I'd urge anyone else affected to do the same.

  4. Anonymous Coward
    Anonymous Coward

    They're smoldering, heres hoping the FCA adds some petrol...

    I've worked in financial services for the past 15 years, the FSA (predecessor to the FCA) let the credit-scoring agencies operate with hardly any oversight and most of it was cloak and dagger.

    What you see online for your "credit reference" score is only a fraction of the data they hold on you, getting access to your full file is very difficult (often data is selectively disclosed, even when a consumer demands the full file under the DPA), in addition the data is often "anonymised" and used for profiling or sold on without consent.

    Its going to be interesting to see the impact of GDPR..

    1. This post has been deleted by its author

      1. Mark 85 Silver badge

        Re: They're smoldering, heres hoping the FCA adds some petrol...

        Indeed, any company can pay the fee and get a list of people who meet the criteria the buyer wants. Sometimes is deep criteria (age, sex, income, household location, age of car, etc.) other times it's just maybe location of your home.

  5. Stevie Silver badge

    Bah!

    Baseball bats. Nutsacks.

    Gotta dream.

    Also: Why in the secret name of Azathoth isn't all this data encrypted?

    And kept in a non-relational manner?

    1. Brewster's Angle Grinder Silver badge

      Re: Bah!

      "Also: Why in the secret name of Azathoth isn't all this data encrypted?"

      Because the code was authored by Nyarlathotep.

      1. CrazyOldCatMan Silver badge

        Re: Bah!

        Because the code was authored by Nyarlathotep.

        And to see it, you have to pull off the mask. And suffer the inevitable SAN loss.

  6. tentimes

    On balance

    They should nail them to the wall for this. My only reluctance in kicking them out of the country is that it gives more power to other CRA's, who will exploit customers on the back of it. My guess is they have all been hacked anyway, we just haven't heard about it (i.e. they haven't got caught).

  7. a_yank_lurker Silver badge

    Only Blighthy?

    Can they be kicked out of the US also? Blighty might get lucky and we will still be stuck with the slimes.

  8. Doctor Syntax Silver badge

    "we welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future."

    There seems to be an implicit message that this was a big mystery. How on Earth did such a thing happen?

    They know perfectly well. They left themselves unsecured. They shouldn't have needed to learn anything. They should have kept on top of securing things. The only way they'll really learn anything is to be handled penalties by every regulator in sight to the point where they can't pay management salaries let alone bonuses.

  9. Anonymous Coward
    Anonymous Coward

    Wet celery ready

    Who's got the flying helmet?

    Punishment due.

  10. Anonymous Coward
    Anonymous Coward

    Watchdog could ban firm from operating in the country

    or they could write an angry letter. Let me guess... they're gonna to be banned. From being hacked again.

  11. ThatOne Silver badge
    Big Brother

    > Also: Why in the secret name of Azathoth isn't all this data encrypted?

    Why should it? It's not like there is any reason to do so, the occasional theft doesn't reduce the commercial value of their data. More so since it's a captive market, it's not like their clients have the choice of not using their services. (And by "clients" I don't mean the data, I mean the companies requesting that data.)

  12. hoola Bronze badge

    Closing The Stable Door After the Horse Has Bolted

    The trouble with all this stuff about "working with the regulator" and "learning lessons" is that the crucial data has already gone. It cannot be got back, it is now out there forever. The only way to improve this is for huge fines, removing directors (no golden handshakes) and stopping licences to operate.

    With all theses "one-off" breaches that keep happening there cannot be much left that is secure.

  13. Anonymous Coward
    Anonymous Coward

    What about parcel company APC Overnight?

    This makes my pursuit against parcel company APC Overnight and its negligence in selling off personal data quite minuscule.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020