Equifax has confirmed that the personal information of around 400,000 UK consumers may have been breached in its recent US cyber attack – which has also now seen the company’s CIO and CSO step down.

The Equifax statement said that while UK systems were not affected by the US attack, a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.

The information was restricted to name, date of birth, email address and a telephone number. Equifax confirmed that the data does not include any residential address information, password information or financial data. Having concluded the initial assessment, Equifax established that it is likely to need to contact the affected consumers in order to offer them appropriate advice and a range of services to help safeguard and reassure them.

Equifax will also incorporate web and social media monitoring alerts for those affected, and provide links to services provided by other UK regulated organisations which these consumers may prefer to take up in addition to or instead of the free services provided by Equifax.

Patricio Remon, president at Equifax, said: “We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward.”

Following the breach in July – which only came to light earlier this month – Equifax’s chief information officer, David Webb, and chief security, Susan Mauldin, also announced on Friday that they will be retiring from the company.

Commenting on the news, Dan Panesar, vice president EMEA at security specialists Certes Networks, said: “As the fall-out of the Equifax breaches continues, it is ever more apparent that not only is maintaining traditional approaches to cyber security an open invitation to hackers, but also that the mindset of most CIOs and CISOs needs to change.

“It’s all good and well having the buck stop with the CIO when a breach occurs, but when are boards going take a holistic view of their risk profile, and empower dedicated security teams working under the supervision of the CIO to have full control over policy and implementation?”

Share Story: