Credit checking company Equifax has said the data of up to 400,000 Britons may have been stolen in a large-scale cyber attack.
A file containing the names, dates of birth, email addresses and telephone numbers of UK consumers may have been accessed in the hack, which compromised the data of 143 million Americans.
The news comes as Equifax announced its chief information officer and chief security officer were retiring from the organisation.
A spokesperson said the personnel changes, effective immediately, were “part of the company’s ongoing review of the cyber security incident”.
UK systems of the firm were not compromised by the hack, it said, but British customer information had been stored on US systems between 2011 and 2015.
Equifax handles the data of 44 million British customers, including of firms like British Gas, BT and Capital One.
The company made efforts to reassure those whose data had been compromised, pointing out they were unlikely to be hit by “identity takeover”.
Those affected will be contacted in writing with advice and a free identity protection service.
“An internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation,” the company said.
The hack was only revealed to consumers last week, despite having been discovered in July.
The Information Commissioner’s Office ordered the firm to alert British customers, saying “criminals” had exploited a website application to access information.
The firm’s security infrastructure prior to the hack, and its response to the incident, has been widely criticised.
US Senator Mark Warner, a member of the Senate Banking Committee, accused Equifax of “exceptionally poor cyber security practices” and described its poor response to the incident as “alarming”.
Robert Pritchard, founder of The Cyber Security Expert, has told Sky News the breach was “an unmitigated disaster”.
Equifax UK president Patricio Remon said: “We apologise for this failure to protect UK consumer data.”
The firm said postal addresses, passwords and financial information of UK customers were not included in the leak, although credit card and social security numbers of American customers were breached.