(This version of the October 11 story corrects number of citizens affected in paragraph 1)
By Eric Auchard
LONDON (Reuters) – The powerful chair of Britain’s parliamentary treasury committee demanded on Wednesday that U.S. credit reporting agency Equifax explain why it has taken more than a month to notify users of a massive data breach affecting more than 15 million records and nearly 700,000 UK citizens.
Nicky Morgan, chair of the House of Commons’ Treasury Committee, also wrote to Britain’s financial regulator to determine whether Equifax had violated terms of its license to operate in the country and whether the regulator had the power to compel the company to provide compensation to UK consumers.
On Tuesday, Equifax revealed that 15.2 million records on British citizens were involved in the breach, including sensitive data on what it said were 693,665 individuals, for whom credit protection services were offered. The compromised credit information dated from 2011 to 2016, the company said.
The UK data accessed by unknown hackers included credit accounts, user credentials, partial credit card details and driver license numbers. The remaining 14.5 million records contained names and birth dates of UK consumers were “potentially compromised”, the company disclosed.
More than a month ago, Equifax first revealed it had been the target of a massive data breach which hit around 143 million people, mostly in the United States. It acknowledged at the time an unspecified number of Canadian and UK residents were hit. It later updated the total number of victims to 145.5 million.
Equifax did not respond to requests for further comment.
U.S. consumers started being notified by Equifax after it disclosed the incident on Sept. 7. Equifax Ltd, its British unit said on Tuesday it had begun notifying UK consumers by post after receiving data on potential victims from its U.S. parent.
CROSS-BORDER DATA TRANSFERS
Equifax said last week a probe by computer forensics firm Mandiant had concluded that, while its UK business had not been breached directly, large amounts of data on British consumers stored in the United States had been compromised.
The breach occurred in May and continued until it was discovered in July of this year, the company said.
In Britain, Equifax is licensed as a credit reference agency and broker by the Financial Conduct Authority (FCA), which said it has been discussing all aspects of the incident with it, but declined to comment further.
Commons Treasury Chair Morgan also demanded to know from the FCA whether Equifax’s decision to store sensitive data on UK consumers in the United States broke any rules on intra-company, transnational data transfers.
Separately, the UK Information Commissioner’s Office (ICO), which is charge of enforcing data protection regulations, said it was continuing to investigate how UK consumers were affected.
“We have been pressing Equifax to confirm the scale and any impact on UK citizens,” an ICO spokeswoman said. The maximum fine the ICO can levy for breaches of UK data protection rules is 500,000 pounds ($660,500).
Equifax is one of the big three credit reference agencies in Britain, along with rivals Experian Plc and TransUnion. Globally, it collects data on more than 820 million consumers and more than 91 million businesses in 24 nations.
(Reporting by Eric Auchard; editing by Stephen Addison)