Are you affected by the Equifax hack?

By Mark Andrews | Business | Published: | Last Updated:

It's hardly what you would call a red letter day.

"Your personal data has been accessed," says the letter which has landed on the doormat.

"Please read this letter and take action to protect yourself."

And, if you have not already had one of these letters, there is a real possibility you could be getting one of over the next few weeks.

The credit agency Equifax is writing to 167,000 people across the UK, on top of the 696,000 who were contacted last year, telling them their data has been stolen by cyber criminals. In total, it is estimated that 15.2 million files were compromised, so people can be forgiven for wondering whether this will be the end of the matter.

And just because you have never knowingly had any dealings with Equifax – indeed you might not even have heard of it – does not mean you are not at risk. Based in the American city of Atlanta, Georgia, Equifax is one of the "big three" credit reference agencies, which collects data on behalf of financial institutions to assess people's credit-worthiness. If you have a bank account, mobile phone contract, a credit card, or you pay your car or household premiums monthly, the chances are Equifax will have you on file.

So what should you do if you have had one of the letters? It is a sobering thought that if cyber criminals do use your personal details to steal, say, your life savings, the chances of recovering your money could be pretty slim.

"If someone hadn't got a system in place when they got hacked, you might have a claim, but if they do have a system in place, it's not generally the company's fault if they become a victim of hacking," says Andrew Pegg, of Shropshire law firm Lanyon Bowdler.

"The primary wrongdoer is the fraudster, and that is probably somebody sitting in their bedroom in Russia."


Mr Pegg says the first thing anybody does when they receive a letter purporting to be from Equifax is to check that it is genuine. The letters sent out by the credit reference agency feature a reference number top right, and it is possible to respond to the letter on the company's website If you are in any doubt, Equifax can be contacted on 0800 587 1584. If your letter tells you to call a different number or use another website, that should arouse your suspicions right away.

The company says none of its correspondence will ask for money or personal details, so anything that asks you to provide this is clearly fake. It says it will not contact anybody by email or telephone.

The next thing you should do is change all your passwords. For those whose affairs are simple, that should not be too onerous, but many people these days have multiple online accounts all of which could be vulnerable. Online banking is an obvious one, but if you shop online, do online share trading, or have an account with a bookmaker all of those passwords will need to be changed too.

"The important thing is not to choose something obvious, that people can find out," says Mr Pegg.


"Don't use your date of birth, or the names of your children, because people will be able to find that out."

Mr Pegg adds that it is important to use a different password for each online account. He also warns that putting too much personal information on social media is a gift to identity fraudsters. Posting details about a landmark birthday lets the world know your date of birth for example.

"If you show a picture of your house, you might help somebody find your address, or it might show a car registration number, all of which could be useful to fraudsters."

He also advises anybody affected to keep a close eye on all their transactions, to ensure no fraud takes place.

It may also be advisable to inform your current account, credit card and mortgage providers that your details have been compromised.

At the moment Equifax is offering free services to those at greatest risk, which monitor whether your identity has been compromised online. The offer has been greeted with understandable scepticism in some quarters. To benefit from the free services, victims need to provide a name, address, date of birth and email address, as well as provide answers to some security questions. But many have questioned whether it is wise to hand even more personal data to Equifax, while others have questioned whether accepting the terms of the company's offer will compromise their rights should they wish to take action against Equifax in future.

Mr Pegg admits that people face a hard choice in this respect.

"It makes sense to get greater protection, so it makes sense to sign up for it, but often the heart rules the head.

"I think if I had trusted my data with somebody – I appreciate with Equifax they had not necessarily knowingly trusted their data – and it had not been properly protected, I would be somewhat loath to give them more information."

On the other hand, he says large financial organisations are under constant attack from hackers, and just because a company has been successfully attacked does not mean it is to blame.

If you are concerned about the security of Equifax’s own products, the company is also offering to enrol those affected onto the Protective Registration Scheme run by anti-fraud body Cifas. However, if you want to sign up to the scheme free of charge, you will still have to give some personal information to Equifax. If you are not happy with this, is possible to enrol directly through Cifas, though this will attract a £20 charge for two years’ cover.

Equifax says that while a folder containing 15.2 million UK records dating from between 2011 and 2016 was attacked, many of these records were either duplicates or data for testing purposes.

It says that it has gone to great lengths to contact everyone who has been affected.

The company says the hack is being investigated by the authorities in the US, and promptly engaged a leading, independent cybersecurity firm called Mandiant which conducted a comprehensive forensic review.

While concerns about the hack are inevitable, Mr Pegg says the risk of being turned over is actually quite small, and there is no need for people to panic unduly.

"These days everything is done online, and you have to give all sorts of details out, if you didn't do that you wouldn't be able to do anything," he says.

"And it's not just doing things online. Anything that involves you giving details to another party, and that data being stored, could potentially be hacked."

A spokesman for the Equifax says: "We are staying focused on strengthening security and regaining the trust of consumers.

"It will be a long journey, as regaining confidence is not something that can be done overnight, and cybersecurity is an immensely complex challenge that needs to be faced as an industry. But we are committed to staying focused on these two priorities."

Mark Andrews

By Mark Andrews

Senior news writer for the Shropshire Star specialising in in-depth features and commentary, investigative reporting and political matters.


Top stories


More from Shropshire Star

UK & International News