Equifax UK data breach: what did the investigators find?

Woman holding credit card and paying via phone. Looking at credit report.
Share on facebook
Share on twitter
Share on linkedin

In 2017, a cybersecurity incident at Equifax resulted in hackers stealing the personal data of up to 143 million US citizens’ and 15 million Brits. Following an investigation into the Equifax UK data breach, The Information Commissioner’s Office (ICO) fined Equifax £500,000.

The penalty was the maximum allowed under previous data protection legislation. However, under the current General Data Protection Regulation (GDPR), the ICO has subsequently handed out much larger fines to companies such as Marriott (£18.4 million), BA (£20 million), and Ticketmaster (£1.25 million).

What data protection failures were uncovered during the Equifax UK data breach investigation?

The ICO investigation, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency. For example:

  • Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
  • Measures which should have been in place to manage the personal data were found to be inadequate and ineffective.
  • There were significant problems with data retention meaning personal information was being retained for longer than necessary and vulnerable to unauthorised access.
  • The US Department of Homeland Security had warned Equifax Inc. about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched.

The Information Commissioner, Elizabeth Denham, said Equifax showed “serious disregard” for its customers and their personal information. She also said:


The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.

“This is compounded when the company is a global firm whose business relies on personal data.

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

What can you do following the Equifax UK data breach?

First and foremost, you should take steps to protect your data from further harm.

Protect your finances
  • Contact your bank or credit card provider immediately if your financial data has been exposed
  • Check all bills and emails for goods or services you have not ordered
  • Check your bank account for unfamiliar transactions
  • Alert your bank or credit card provider immediately if there is any suspicious activity
  • Monitor your credit score for any unexpected dips
  • Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Never provide your PIN or full password to anyone (even someone claiming to be from your bank)
  • Never been pressured into moving money to another account for fraud reasons. A legitimate bank won’t ask you to do this.
Be vigilant
  • Never automatically click on any suspicious links or downloads in emails or texts
  • Don’t assume an email or phone call is authentic just because someone has your details
  • Be careful who you trust – criminals often use scare tactics to try and trick you into revealing your security details
  • Know that, even if you recognise a name or number, it might not be genuine
  • Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot
  • Never provide your full password, pin or security code to someone over the phone (or via message). If a bank believes a transaction has been fraudulent, they will not ask for this information to cancel the transaction
  • Listen to your instincts and ask questions if something feels “off"
  • Refuse requests for personal or financial information and stop discussions if you are at all unsure
  • Contact your bank or financial service provider on a number you know and trust to check if a communication is genuine
  • Be cautious of unsolicited communications that refer you to a web page asking for personal data
  • Don’t accept friend requests from people you don’t know on social media
  • Review your online privacy settings.
Put some data protection best practices in place:
  • Register with the Cifas protective registration service to slow down credit applications made in your name
  • Change your passwords regularly and use a different password for every account (a password manager can help with this)
  • Protect your devices with up to date internet security software.

Join our group action

Keller Lenkner UK is pursuing an Equifax UK data breach group action claim. To become part of our group action, contact us to see if you meet the standard necessary to claim.

Crucially, it does not matter if you have not lost out financially because of the hack. If the data breach has caused you stress or anxiety, then the law agrees that you may be entitled to compensation.

Contact Keller Lenkner UK’s expert data breach lawyers to discuss the Equifax data breach.

Share this article:

Share on facebook
Share on twitter
Share on linkedin