In 2017, poor security processes at Equifax led to a huge data breach. As a result of the privacy violation, hackers gained access to the private details of up to 15 million individuals in the UK.
The data exposed in the Equifax breach included names, addresses, dates of birth and credit card numbers. Some driving licence numbers and some email addresses were also included in the breach. Certain people also had their Equifax credit services account info compromised; this means that their usernames, passwords, secret questions and answers were at the mercy of hackers. Some credit card payment amounts could also have been accessed. These details can be used by cybercriminals to commit further crimes – including data theft and financial fraud.
In 2018, the ICO issued Equifax Ltd with a £500,000 fine (this was the largest fine possible before GDPR). But this money was not given to victims of the breach. The only way to get Equifax data breach compensation is to make a claim.
At Keller Lenkner UK, we have launched an Equifax data breach group action to help victims claim compensation and achieve justice. But Equifax still has not informed everyone who had their data violated and many people do not know that they were involved.
Our expert data protection lawyers explain how to find out if Equifax breached your data, as well as answering some of the other frequently asked questions in this case.
How would I know if Equifax breached my data?
To join our claim against Equifax, you need evidence that your personal information was involved in the data breach.
Equifax wrote to 693,665 UK customers confirming that they had their data breached. Equifax also wrote to a further 167,431 UK consumers whose landline telephone numbers were already published in the public Phone Book. If you are one of the people who have received such a letter, you can claim for Equifax data breach compensation.
However, many victims will not have received a letter from Equifax. And, even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).
How can I get evidence that Equifax breached my data?
If you have not received confirmation about your involvement (or of you have lost this evidence), but suspect your information was breached, you can ask Equifax if you were put at risk. This is called making a subject access request (SAR).
In the UK, you can ask any organisation if your data was involved in a breach and a copy of this information should be provided free of charge. This is a legal right, and you can complain to the ICO if Equifax does not provide the information.
What other evidence will you ask for?
Once we have established whether you were involved in the Equifax data breach, we will ask you for:
- Evidence of any financial losses, distress, and/or inconvenience you have suffered because of the data breach. For example:
- Bank statements
- Correspondence (letters, emails, etc.) with banks, credit card providers, credit reference agencies, etc.
- Credit score reports (with dates of any dips)
- Details about medical appointments/prescriptions that relate to this data breach (e.g. due to distress/stress)
- Evidence of any fraudulent transactions, fraud attempts, alerts, cancelled cards that relate specifically to the card details breached
- Evidence of increased spam
- Anything else that may be relevant to support your claim.
Could my details have been breached if I am not an Equifax customer?
Yes. if you used an Equifax security product between 2015 and 2017 your data could be at risk. But even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).
Will I get part of the $1.4 billion compensation payment announced by Equifax?
No. Equifax will pay $1.4 billion to compensate victims in the US, but this does not go to victims in the UK. We believe that UK consumers deserve compensation too.
Will I get some of the ICO fine?
In 2018, the ICO issued Equifax Ltd with a £500,000 fine for failing to protect personal data. However, while the ICO has the power to impose hefty fines on organisations in breach of their duties, it does not award compensation, so this money will not be given to victims of the breach. The only way to get Equifax data breach compensation is to make a claim.
Who is responsible for the data breach?
While Equifax was the victim of a cyber-attack, it is the one who controlled your personal information. Poor security processes allowed the breach to happen, so Equifax is responsible.
Am I at risk if Equifax breached my data?
Unfortunately yes, cybercriminals could use the details stolen in the Equifax data breach to commit further harm (e.g. in phishing attempts). Because of this breach, many people have already experienced theft, fraud, and emotional distress.
What are the different types of data breaches in this case?
The ICO investigators discovered that almost 15 million people in the UK had their names and dates of birth stolen. This included:
- 9,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed.
- 637,430 UK data subjects had names, dates of birth and telephone numbers exposed.
More significantly, the ICO also discovered another data set (the GSC data set) which included 27,047 UK individuals. In this data set, the compromised information was account information for Equifax’s credit services. Of this group, 12,086 people had their email addresses compromised and 14,961 individuals had portions of their Equifax.co.uk membership details such as username, address, date of birth, plain text password, secret questions and answers, and partial credit card details accessed.
How bad were Equifax’s data security processes?
The ICO investigation, carried out in parallel with the Financial Conduct Authority, concluded that there had been multiple failures at the credit reference agency. For example,
- Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
- Measures which should have been in place to manage the personal data were found to be inadequate and ineffective.
- There were significant problems with data retention meaning personal information was being retained for longer than necessary and vulnerable to unauthorised access.
- The US Department of Homeland Security had warned Equifax Inc. about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched.
Can I make a claim if I have not lost any money?
Yes, it does not matter if there is no evidence that the data stolen has been used to carry out identity theft or fraud. If your privacy rights have been breached the law agrees that you are entitled to compensation.
Is this claim likely to be successful?
We cannot say for sure, but we believe that we have a strong case. Especially as the ICO has already found Equifax guilty of failing to put appropriate security measures in place to prevent a cyber-attack. In the US, Equifax will pay $1.4 billion to compensate affected consumers in a similar action.
How do I make an Equifax data breach claim?
To join our Equifax data breach group action compensation claim you need to register with us. It is vital to sign up ASAP to ensure you do not miss out.