I also love how they call those people “consumers” despite the fact that you’ve got no choice in the matter. I can’t wait for this “credit history” bullshit to go away, it’s just too much risk for a single company to hold that much personal data about everyone without having the choice of opting out.
I think challenger banks should lead the way in providing a safer credit history system - if you apply for credit how about the lender using your bank’s API (through a normal authentication prompt) to get the info they need? This would limit the risks of a breach and also give the user a way to choose which company (the bank in this case) they trust with their credit data. Maybe some collaboration with Starling and other competitors is in order to get this sorted ASAP.
Update from Brian Krebs (a respected figure in the security community):
So our credit history could potentially be out there as well. Shit.
Equifax said it discovered the breach on July 29. “Criminals exploited a U.S. website application vulnerability to gain access to certain files,” the company said
Because heads are rolling as I speak and nobody wanted the blame so they tried their best to sweep it under the rug. Typical for such a big company where there are more managers than actual productive employees.
Criminals exploited a U.S. website application vulnerability to gain access to certain files
I wonder if it’s linked to the recently discovered vulnerabilities in Apache Struts (a pretty old Java web framework - Google it), that seems to fit the use case for a big company and a legacy stack built a decade ago when Struts was the hottest thing on the market.
It’s standard to call in digital forensics before doing a public announcement and that could easily take 5 weeks. You need to make sure the hole is fully shut and systems are properly secured before you announce it to the public
For sure, doing the investigation is important and they take a lot of time (you don’t need to tell me that :P). Given I’ve read reports that the initial unauthorised access took place in mid May though, they really dropped the ball in terms of detecting it in a timely manner and getting the consultants involved.
Has anyone been able to apply a credit freeze to their uk credit reference files? It is a legal requirement to offer this function in the USA but I can’t see it available here.
Very good question, I was looking to freeze my credit as well as soon as I arrived in the UK (I couldn’t believe nonsense such as “credit history” would even be legal under data protection laws - it sure wouldn’t in my country if origin) but I have yet to find anything about it.
I think the only reason it exists in the US is because it’s mandated by law, something the UK presumably lacks.
I just wish however it would be the people in charge of security & policies that are charged, and not the insider traders. Insider trading is minor and reversible damage compared to the major data breach.
I doubt they will do anything in relation to the user details compromised, however. The US and the ICO here in the UK seem very reluctant to do anything about it.
It took Equifax several months to warn UK users compromised and the ICO didn’t see any reason to pressurise them into actually telling those affected.
