In 2017, poor security processes at Equifax led to a huge data breach. The ICO fined Equifax £500,000 for the data breach. This page explains how the Equifax data breach happened, the facts of the case, and the consequences for the affected victims.
The Equifax data breach happened when hackers gained access to the private details of 146 million people in the US. While Equifax said that its systems in the UK were not affected, it did admit that a file stored in the US may have been accessed. As such, up to 15 million UK individuals could have had their details breached.
The data included names, address, dates of birth, and credit card numbers. Some driving licence numbers and some email addresses were also included in the breach. Also, for some individuals, their Equifax credit services account info may have been exposed. In addition to the above data, this means that their username, password, secret question and answer could be breached. Some credit card payment amounts could also have been compromised.
See our answers to the FAQs we get asked about the Equifax Data Breach.
The Equifax data breach happened when hackers gained access to the private details of 146 million people in the US. While Equifax said that its systems in the UK were not affected, it did admit that a file stored in the US may have been accessed. As such, up to 15 million UK individuals could have had their details breached.
The data included names, address, dates of birth, and credit card numbers. Some driving licence numbers and some email addresses were also included in the breach. Also, for some individuals, their Equifax credit services account info may have been exposed. In addition to the above data, this means that their username, password, secret question and answer could be breached. Some credit card payment amounts could also have been compromised.
The Equifax data breach was announced in September 2017. The sensitivity of the personal information held by Equifax makes this breach one of the most severe breaches reported to date.
Equifax wrote to 693,665 UK customers confirming that they had their data breached. Equifax also wrote to a further 167,431 UK consumers whose landline telephone numbers were already published in the public Phone Book.
However, many victims will not have received a letter from Equifax. And, even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).
If you have not received confirmation about your involvement (or of you have lost this evidence), but suspect your information was breached, you can ask Equifax if you were put at risk. This is called making a subject access request (SAR).
In the UK, you can ask any organisation if your data was involved in a breach and a copy of this information should be provided free of charge. This is a legal right, and you can complain to the ICO if Equifax does not provide the information.
Yes. if you used an Equifax security product between 2015 and 2017 your data could be at risk. But even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).
While Equifax was the victim of a cyber-attack, it is the one who controlled your personal information. Poor security processes allowed the breach to happen, so Equifax is responsible.
The Information Commissioner’s Office (ICO) investigation revealed multiple security failures at the credit reference agency. In response, Equifax was fined £500,000. However, the investigation was carried out under the Data Protection Act 1998 rather than the current General Data Protection Regulation (GDPR), and the £500,000 fine is the maximum allowed under the previous legislation. So it could be argued that Equifax got off lightly.
Unfortunately yes, cybercriminals could use the details stolen in the Equifax data breach to commit further harm (e.g. in phishing attempts). Because of this breach, many people have already experienced theft, fraud, and emotional distress.
The ICO investigators discovered that almost 15 million people in the UK had their names and dates of birth stolen. This included:
More significantly, the ICO also discovered another data set (the GSC data set) which included 27,047 UK individuals. In this data set, the compromised information was account information for Equifax’s credit services. Of this group, 12,086 people had their email addresses compromised and 14,961 individuals had portions of their Equifax.co.uk membership details such as username, address, date of birth, plain text password, secret questions and answers, and partial credit card details accessed.
The ICO investigation, carried out in parallel with the Financial Conduct Authority, concluded that there had been multiple failures at the credit reference agency. For example,
KP Law has some of the most skilled consumer-rights lawyers in England and Wales. Here are just some of our success stories.
With innovation, resources and expertise, KP Law fights for justice for each and every client.