Equifax has identified unauthorized access to limited personal information for certain UK customers, the company said in a prepared statement. The Atlanta-based credit monitoring services provider is working with UK regulators to address the data breach.
Cybercriminals may have accessed the names, dates of birth, email addresses and phone numbers of roughly 400,000 Equifax customers in the UK, according to Bloomberg.
UK consumers' personal information was exposed due to a mistake that enabled a limited amount of data to be stored in the United States between 2011 and 2016, the company stated. The company said it believes "identity takeover" is unlikely for UK consumers affected by the incident.
Equifax earlier this month released details about a data breach that affected approximately 143 million U.S. consumers. In addition, three senior executives sold company shares worth nearly $1.8 million just days before the breach, Bloomberg reported. The company said the executives did not know about the breach at the time of the stock sales.
Amid the U.S. breach fallout, Equifax last week announced Chief Information Officer (CIO) David Webb and Chief Security Officer (CSO) Susan Mauldin were "retiring," effective immediately. Mark Rohrwasser, an IT operations veteran who joined the company last year, now serves as interim CIO. Meanwhile, Vice President Russ Ayres has been named interim CSO.
What Caused the Data Breach?
A vulnerability in an Apache Struts web application framework was the initial attack vector for the Equifax data breach, the company said in a prepared statement.
The unauthorized access to files containing consumers' personal information occurred from May 13 through July 30, 2017, Equifax stated. However, the Apache bug was fixed in March, according to Ars Technica.
Moreover, Rui Lopes, manager at Panda Security, told MSSP Alert that the source of the data breach may have been around for at least nine years.
How Is Equifax Responding to the Data Breach?
Equifax is working with cybersecurity consulting services provider Mandiant to determine what information was accessed during the data breach and identify affected customers about the incident, the business said.
The company has created a dedicated website where consumers can find out whether they were impacted by the data breach, as well as a dedicated call center to assist consumers. It also is offering free credit file monitoring and identity theft protection services to all U.S. consumers.
