Is Equifax getting away with its data breach because it happened pre-GDPR?

Share on facebook
Share on twitter
Share on linkedin

Equifax is the second-largest credit reference agency in the UK. But, in March 2017, a staggering data breach demonstrated how weak the company’s security processes were. The Equifax data breach happened when the personal data of hundreds of millions of people was stolen from the credit reporting giant.

Luckily for Equifax, the breach happened pre-GDPR (General Data Protection Regulation). So, while the Information Commissioner’s Office (ICO) subsequently fined Equifax £500,000 for its security failures, this punishment could have been much higher. For example, in 2020, British Airways was fined £20 million for its customer data breach.

The fact that the Equifax data breach happened under old data protection laws has proved to be even more fortuitous for the company. Not least because Equifax did not have to adhere to newer more stringent consumer rights guidelines.

Equifax hasn’t informed everyone that was impacted by the hack

Following the breach, Equifax wrote to 693,665 customers in the UK to confirm that they had their data stolen. Equifax also wrote to a further 167,431 UK consumers whose landline telephone numbers were already published in the public Phone Book and were accessed as part of the cyberattack. Many people who received this letter have since contacted Keller Lenkner UK to claim Equifax data breach compensation.  

But not everyone put at risk by the breach has been informed.

Today, in our post-GDPR world, companies must tell people if their personally identifiable data is involved in a security breach. But before the GDPR was introduced on 25 May 2018, these businesses were only advised to do so.

Following its investigation into the Equifax data breach, the ICO said that millions of people in the UK could be affected by the hack. So, many victims will not have received a letter from Equifax to let them know that their data was put at risk.

Anyone who used an Equifax security product (e.g. Equifax’s credit monitoring services) between 2015 and 2017 could have had their data exposed. What’s more, anyone who applied for a loan, mortgage, etc. during the data breach period (if the provider used Equifax to check their credit score) could also have had their data stolen in this breach.

But, if you have not had a letter, how can you find out if you were involved?

The good news is that Equifax knows exactly who was impacted by this breach. And it is legally required to tell you if your data was involved.

Making an Equifax data request

In the UK, you have a legal right to find out if and how an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this information. You can make a data request to find out if your data was involved in a hack or breach.

However, it has been our experience that, sometimes, defendants like to swamp people with data in response to such requests. And this can make it exceedingly difficult to find the information required in the facts supplied.

To make sure the process is as straightforward as possible, when you appoint Keller Lenkner as your data protection lawyers, we will provide the exact wording needed to get the information you require from Equifax – and only this data. 

Don’t let Equifax get away with it

There are many failings from Equifax that led to this breach being one of the largest disclosed. It is entirely down to these vast number of failings that the breach is so large and that the attack went undetected for so long.

In the US, a settlement required Equifax to pay $400 million to compensate affected consumers. And, if you live in the UK and were impacted by the Equifax data breach, we believe that you should also be compensated.

Register today to join our No-Win, No-Fee Equifax data breach.

Contact Keller Lenkner UK’s expert data breach lawyers to discuss the Equifax data breach.

Share this article:

Share on facebook
Share on twitter
Share on linkedin