In September 2018, the Information Commissioner’s Office (ICO) issued Equifax Ltd a £500,000 fine after a series of security flaws allowed hackers to access the personal details of millions of people in the UK and US.
Equifax is a huge credit reference agency. It is used by many companies to decide whether to issue mortgages, loans, store cards, credit cards, etc. So, it holds a wealth of information about people – many of whom are not Equifax customers. That’s why, when hackers gained access to the private details held by Equifax, it was big news.
The sensitivity of the personal information held by Equifax makes this breach one of the most severe breaches reported to date. But, to date, Equifax has still not compensated UK victims for this data breach.
Equifax agreed to pay $400 million (£577 million) to compensate and fund credit monitoring services for US victims, and we believe that consumers in England & Wales deserve compensation too.
This case could soon come to an end, but it’s not too late to claim!
The expert data protection lawyers at Keller Lenkner UK have set out everything you need to know about claiming Equifax compensation in this guide.
What happened in the Equifax data breach?
In 2017, Equifax’s poor security processes led to a massive data breach. Hackers accessed the private details of 146 million people in the US. And, following an investigation, the ICO discovered that 15 million people in the UK might also have been affected. To put this in perspective that is equivalent to just under a quarter of the whole population.
To make matters worse, Equifax failed to come clean straight away about the scale of the breach. And a former Equifax executive also sold his shares in the company before the news of the hack went public. Earning roughly $1 million in the process, the executive was set to profit at the expense of millions of customers. He has since been charged with insider trading, but his actions reflect a disdain for consumer data protection that is all too common.
Who has been affected in the UK?
In total, the breach has impacted:
- 9,993 UK data subjects who had their names, dates of birth, telephone numbers and driving licence numbers exposed.
- 637,430 UK data subjects who had their names, dates of birth and telephone numbers exposed.
- Up to 15 million UK data subjects who had their names and dates of birth exposed.
The ICO also discovered another data set (the GSC data set) which included 27,047 UK individuals. In this data set, the compromised information was account information for Equifax’s credit services. Of this group, 12,086 people had their email addresses compromised, and 14,961 individuals had portions of their Equifax.co.uk membership details such as username, address, date of birth, plain text password, secret questions and answers, and partial credit card details accessed.
Furthermore, Equifax is a credit reference agency. When you apply for a loan, mortgage, credit card or mobile phone, the company you are requesting credit from might use Equifax to check your credit report and decide whether to approve your application. So, even if you are not an Equifax customer, they could hold your data, and this could be at risk.
The ICO’s Equifax data breach investigation
The ICO investigation, carried out in parallel with the Financial Conduct Authority, concluded that there had been multiple failures at the credit reference agency.
- Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
- Measures that should have been in place to manage the personal data were inadequate and ineffective.
- There were significant problems with data retention meaning personal information was being retained for longer than necessary and vulnerable to unauthorised access.
- The US Department of Homeland Security had warned Equifax Inc. about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken, meaning a consumer-facing portal was not appropriately patched.
In short, the ICO has already found Equifax guilty.
However, the ICO’s investigation was carried out under older data protection law rather than the current General Data Protection Regulation (GDPR). The £500,000 fine was the maximum allowed under the previous legislation.
Furthermore, while fines are an essential step in ensuring big businesses like Equifax do more to uphold their data protection obligations, they do little to help those already affected by a breach. As such, anyone who has suffered because of the Equifax cyber-attack may seek to claim compensation.
Who can make a data breach compensation claim against Equifax?
Equifax sent a letter to those affected after the data breach, informing them that their data was at risk. Crucially, it does not matter if you have not lost out financially because of the Equifax hack. Being the victim of a data breach can have a significant impact on you mentally and physically.
Cybercriminals could use the details stolen in the Equifax data breach to commit further harm (e.g. in phishing attempts). Because of this breach, many people have already experienced theft, fraud, and emotional distress. If the data breach has caused you stress or anxiety, the law agrees that you are entitled to compensation.
Why should you join a group action case?
Because so many people are affected by the Equifax data breach, this case is being run as a group action. A group action claim is where multiple people – sometimes even thousands of people – have been affected by the same issue.
Starting a claim can be daunting, and it is not unusual for people who have perfectly valid complaints to be put off due to the risks of going up against a large and well-resourced defendant. A group action allows people with the same type of claim to bring it together on a collective basis. This strengthens their overall position and increases their chances of success.
However, just because a case is part of a group action, this does not mean that everyone will receive the same amount of compensation if successful. All claims are settled based on their merits, and each person will receive what they are owed.
How much does it cost to join the Equifax group action?
How much could you expect to receive if you make an Equifax data breach claim?
Once we have established whether you were involved in the Equifax data breach – and what data was compromised – we will ask you for evidence of any financial losses, distress, and/or inconvenience you have suffered because of the data breach. The amount you are likely to receive will depend on what information you had stolen and how the breach impacted you.
However, if you have experienced significant loss as a direct result of this data breach, the compensation you receive could be as much as £4,000 (or even more in the most severe cases).
Will Lloyd vs Google affect this case?
In very simple terms, the Court ruled that simply losing control of personal information is not sufficient grounds to make a data breach claim. Instead, victims must be able to demonstrate quantifiable distress and/or financial loss. We are examining how best to tackle this case in light of this judgement.
However, this ruling, while important, will not change the way we are handling claims for tens of thousands of clients. Individuals still have a right to compensation if they have suffered actual, or potential, financial loss or psychological injury following a data breach.
What should you do now?
Register to become part of our Equifax group action and let us know about any activity you believe happened because of the hack. This will help us with your case.
- Has your card been used without permission?
- Are there transactions that your bank has picked up that you have not made?
- Are you getting more spam or junk email with your name on it?
- Are you anxious or worried by the thought of people being able to access your data and has this caused or exacerbated any medical conditions?
There are strict time limits for making Equifax breach compensation claims, so it is essential to act now.