In 2017, a cybersecurity incident at Equifax resulted in hackers stealing the personal data of up to 143 million US citizens’ and 15 million Brits. Following an investigation into the Equifax UK data breach, the Information Commissioner’s Office (ICO) fined Equifax £500,000.
The investigation was carried out under the Data Protection Act 1998 rather than the current General Data Protection Regulation (GDPR), and the £500,000 fine is the maximum allowed under the previous legislation. So it could be argued that Equifax got off lightly.
What did the Equifax UK data breach investigation find?
The ICO investigators discovered that almost 15 million people in the UK had their data stolen. This included:
- 9,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed.
- 637,430 UK data subjects had names, dates of birth and telephone numbers exposed.
- Up to 15 million UK data subjects had names and dates of birth exposed.
However, more significantly, the ICO also discovered another data set (the GSC data set) which included 27,047 UK individuals. In this data set, the compromised information was account information for Equifax’s credit services.
Of this group, 12,086 people had their email addresses compromised and 14,961 individuals had portions of their Equifax.co.uk membership details such as username, address, date of birth, plain text password, secret questions and answers, and partial credit card details accessed.
The ICO’s findings revealed that the storage of passwords in plain text was contrary to the company’s policy which specifically required passwords to be stored in encrypted, hashed, masked, tokenised or otherwise protected. This data file was also held in a file share, which was accessible to multiple users.
The ICO found no valid reason why this data was not stored correctly and in line with company policy. It also said that Equifax did not seem to be aware why this data was being processed until after the breach. This is a clear breach of data protection laws.
Commenting on the breach, the Information Commissioner, Elizabeth Denham, said Equifax showed a “serious disregard” for its customers and their personal information. She also said:
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.
“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
The ICO investigation, carried out in parallel with the Financial Conduct Authority, concluded that there had been multiple failures at the credit reference agency. For example,
- Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
- Measures which should have been in place to manage the personal data were found to be inadequate and ineffective.
- There were significant problems with data retention meaning personal information was being retained for longer than necessary and vulnerable to unauthorised access.
- The US Department of Homeland Security had warned Equifax Inc. about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched.
What can you do about the Equifax UK data breach?
Keller Lenkner UK has launched a group action against Equifax. Group actions can be a powerful tool and can have a bigger impact than a single claim.
IF YOU HAVE BEEN AFFECTED BY THE EQUIFAX DATA BREACH, WE CAN HELP YOU MAKE A NO-WIN, NO-FEE CLAIM FOR COMPENSATION.
Not sure if your information was included in the Equifax data breach?
Equifax knows exactly who was impacted by this breach. But you have to ask Equifax if you were involved. This is called making a Subject Access Request (SAR). To keep the process straightforward, the Keller Lenkner data breach team can make a SAR on your behalf.
Crucially, it doesn’t matter if you haven’t lost out financially as a result of the hack. If the data breach has caused you stress or anxiety, then the law agrees that you are entitled to compensation. Equifax has reached a $1.4 billion data breach settlement in a US-based consumer class action, and we believe victims in the UK deserve compensation too.