It now appears that the data breach at American credit rating agency Equifax, which was reported last month and is believed to have taken place between May and July 2017, exposed the records of 15.2 million clients from the United Kingdom as well, reports Reuters. Of these about 14.5 million records, collected between 2011 and 2016, doesn’t include information that might put consumers at risk, but the remaining 693,665 records contain sensitive information.

Equifax will notify the affected consumers and offer them risk mitigating solutions for free to minimise chances of possible misuse of the exposed data.

Last week, after the investigation into the breach had concluded, Equifax had said that the “forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications as the analysis of the completed forensic investigation is completed.”

Earlier this month, the company had informed that around 2.5 million additional US consumers were potentially impacted by the security breach, taking the total up to 145.5 million.

Mandiant (the security firm Equifax had contracted to investigate the breach) did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.

The company also provided an update on how Canadian citizens had been affected by the breach:

With respect to potentially impacted Canadian citizens, the company previously had stated that there may have been up to 100,000 Canadian citizens impacted, but that number was preliminary and did not materialize. The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens.

March breach

Last month, it came to light there had been another breach at Equifax in March 2017, which was related to a payroll service run by the company. The company insisted that the two incidents were not related, and that it had informed customers as well as the regulator about it. According to this Bloomberg report, Equifax notified some of its banking customers about a breach in March. Then law firm King & Spalding, which represents Equifax, hired FireEye Inc. owned cybersecurity firm Mandiant on behalf of the company. This probe is believed to have continued till May, but wasn’t publicly disclosed till now.

Types of data exposed in this breach

  • Personal information of US consumers, primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Apparently, driver license numbers of 10.9 million Americans were exposed in the breach, according to this WSJ report.
  • In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.
  • Plus, sensitive information of 693,665 British consumers, and personal information of about 8,000 Canadian consumers were also impacted by the breach.