Equifax Data Breach Claim

The Equifax data breach happened when hackers gained access to the private details of 146 million people in the US.  While Equifax said that its systems in the UK were not affected, it did admit that a file stored in the US may have been accessed. As such, up to 15 million UK individuals could have had their details breached.

The data included names, address, dates of birth, and credit card numbers. Some driving licence numbers and some email addresses were also included in the breach. Also, for some individuals, their Equifax credit services account info may have been exposed. In addition to the above data, this means that their username, password, secret question and answer could be breached. Some credit card payment amounts could also have been compromised.

The Equifax data breach was announced in September 2017. The sensitivity of the personal information held by Equifax makes this breach one of the most severe breaches reported to date.

Equifax wrote to 693,665 UK customers confirming that they had their data breached. Equifax also wrote to a further 167,431 UK consumers whose landline telephone numbers were already published in the public Phone Book. 

However, many victims will not have received a letter from Equifax. And, even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).

If you have not received confirmation about your involvement (or of you have lost this evidence), but suspect your information was breached, you can ask Equifax if you were put at risk. This is called making a subject access request (SAR).

In the UK, you can ask any organisation if your data was involved in a breach and a copy of this information should be provided free of charge. This is a legal right, and you can complain to the ICO if Equifax does not provide the information.

Yes. if you used an Equifax security product between 2015 and 2017 your data could be at risk. But even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).

While Equifax was the victim of a cyber-attack, it is the one who controlled your personal information. Poor security processes allowed the breach to happen, so Equifax is responsible.

The Information Commissioner’s Office (ICO) investigation revealed multiple security failures at the credit reference agency. In response, Equifax was fined £500,000. However, the investigation was carried out under the Data Protection Act 1998 rather than the current General Data Protection Regulation (GDPR), and the £500,000 fine is the maximum allowed under the previous legislation. So it could be argued that Equifax got off lightly.

Unfortunately yes, cybercriminals could use the details stolen in the Equifax data breach to commit further harm (e.g. in phishing attempts). Because of this breach, many people have already experienced theft, fraud, and emotional distress.

The ICO investigators discovered that almost 15 million people in the UK had their names and dates of birth stolen. This included:

• 9,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed.
• 637,430 UK data subjects had names, dates of birth and telephone numbers exposed.

More significantly, the ICO also discovered another data set (the GSC data set) which included 27,047 UK individuals. In this data set, the compromised information was account information for Equifax’s credit services. Of this group, 12,086 people had their email addresses compromised and 14,961 individuals had portions of their Equifax.co.uk membership details such as username, address, date of birth, plain text password, secret questions and answers, and partial credit card details accessed.

The ICO investigation, carried out in parallel with the Financial Conduct Authority, concluded that there had been multiple failures at the credit reference agency. For example,

• Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
• Measures which should have been in place to manage the personal data were found to be inadequate and ineffective.
• There were significant problems with data retention meaning personal information was being retained for longer than necessary and vulnerable to unauthorised access.
• The US Department of Homeland Security had warned Equifax Inc. about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched.

You can read the ICO’s findings in full here.