Late on Friday evening, the UK arm of Equifax revealed up to 400,000 people in the country “may” have been impacted by the giant security flaw in the US. A flaw in the American firm’s systems left the data of a potential 143 million people exposed.
A press statement from Equifax Ltd, the UK branch of the firm, said it had “regrettably” found that people’s information could have been accessed when one of its files from the UK was transferred to the US. This file was on the hacked systems.
Within the data of the 400,000 customers were individual names, dates of birth, email addresses and telephone numbers. Equifax says physical addresses, passwords and financial data weren’t included in the information transferred to the US from the UK.
The UK customer data was being stored in the US for five years “due to a process failure”, the company’s statement explains. The issue was only corrected in 2016 but had been in place since 2011. But why were data sharing processes broken for five years?
“The first thing it shows is that they didn’t treat either people’s data or the law surrounding it seriously,” says Paul Bernal, a senior lecturer in law at the University of East Anglia. “Did they have no reviews of procedures for five years? That’s carelessness at best.”
The UK’s data protection regulator, the Information Commissioner’s Office, said in a statement it has been “pressing” Equifax to work out how many people are implemented and it is investigating the “nature of the data breach”.
WIRED contacted Equifax for additional comment but the company only pointed us to its most recent statement.
Up until late 2015, data sharing from European companies to the US was governed and protected by the Safe Harbour agreement. However, this was ruled invalid by Europe’s top court and replaced by Privacy Shield in 2016.
The US export agency lists Equifax as complying with Safe Harbour from the middle of 2012 to 2017. This is after the period where the list of UK consumer data was shared with the US. In addition, Equifax also isn’t listed under the Privacy Shield list of certified companies.
Fanny Hidvegi, European policy manager at Access Now, says it is unclear what Equifax means by having a “process failure”. “To me [Equifax’s] Safe Harbour certification suggests that it was not a process failure but a conscious choice,” she says. “What was the legal basis for data processing in the US before and after that date?”
Bernal says that many companies signed up to the Safe Harbour agreement would have done so as a matter of procedure. “I wouldn’t be at all surprised if there are many other companies in similar situations,” he says. “And I doubt they’re that alarmed by what’s happened to Equifax. There is a lot of complacency about this kind of thing”.
Going forward, he says, there should be “serious regulatory action” both in the UK and US, with “an acknowledgement that this isn’t likely to be just a ‘one rotten apple’ problem, but something that was an accident waiting to happen”.