fbpx

Equifax Data Breach Claim

THIS ACTION IS NOW CLOSED

In 2017, poor security processes at Equifax led to a huge data breach. The ICO fined Equifax £500,000 for the data breach. This page explains how the Equifax data breach happened, the facts of the case, and the consequences for the affected victims.  

What happened in the Equifax data breach?

The Equifax data breach happened when hackers gained access to the private details of 146 million people in the US. While Equifax said that its systems in the UK were not affected, it did admit that a file stored in the US may have been accessed. As such, up to 15 million UK individuals could have had their details breached.

The data included names, address, dates of birth, and credit card numbers. Some driving licence numbers and some email addresses were also included in the breach. Also, for some individuals, their Equifax credit services account info may have been exposed. In addition to the above data, this means that their username, password, secret question and answer could be breached. Some credit card payment amounts could also have been compromised.

Equifax Data Breach Timeline

  • May to July 2017
    Hackers carried out an attack on Equifax’s servers and gained access to the personal information of millions of people.
  • 29th July 2017
    Equifax discovered evidence of the cybercrime.
  • 7th September 2017
    Equifax publicly admitted to the data breach and said it affected 143 million people. The first US class action was filed against Equifax.
  • 8th September 2017
    Equifax notified the Financial Conduct Authority (FCA) and the Information Commissioner's Office (ICO) that some data relating to UK consumers may have been impacted by the cyber-attack.
  • 15th September 2017
    Equifax said that approximately 400,000 UK consumers had a combination of their name, date of birth, phone number and email address accessed in the cyber-attack.
  • 2nd October 2017
    Equifax released information which showed that an additional 27,000 UK consumers were thought to be affected.
  • 10th October 2017
    Equifax issued a press release with a revised number of 693,665 UK consumers.
  • 13th October 2017
    Equifax began posting letters to UK consumers alerting them to the data breach.
  • 20th September 2018
    The ICO issued Equifax Ltd with a £500,000 fine. According to the ICO, 15 million people may have been affected in the UK.
  • 22nd July 2019
    Equifax reached a $1.4 billion data breach settlement in a US-based consumer class action. $400 million will go towards compensating victims in the US.

The ICO's investigation

The ICO investigation, carried out in parallel with the Financial Conduct Authority, concluded that there had been multiple failures at the credit reference agency. For example:

ico logo png

Your questions answered

See our answers to the FAQs we get asked about the Equifax Data Breach.

FAQs about the Equifax data breach

The Equifax data breach happened when hackers gained access to the private details of 146 million people in the US.  While Equifax said that its systems in the UK were not affected, it did admit that a file stored in the US may have been accessed. As such, up to 15 million UK individuals could have had their details breached.

The data included names, address, dates of birth, and credit card numbers. Some driving licence numbers and some email addresses were also included in the breach. Also, for some individuals, their Equifax credit services account info may have been exposed. In addition to the above data, this means that their username, password, secret question and answer could be breached. Some credit card payment amounts could also have been compromised.

The Equifax data breach was announced in September 2017. The sensitivity of the personal information held by Equifax makes this breach one of the most severe breaches reported to date.

Equifax wrote to 693,665 UK customers confirming that they had their data breached. Equifax also wrote to a further 167,431 UK consumers whose landline telephone numbers were already published in the public Phone Book. 

However, many victims will not have received a letter from Equifax. And, even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).

If you have not received confirmation about your involvement (or of you have lost this evidence), but suspect your information was breached, you can ask Equifax if you were put at risk. This is called making a subject access request (SAR).

In the UK, you can ask any organisation if your data was involved in a breach and a copy of this information should be provided free of charge. This is a legal right, and you can complain to the ICO if Equifax does not provide the information.

Yes. if you used an Equifax security product between 2015 and 2017 your data could be at risk. But even if you never used Equifax directly, your data could be compromised if you applied for a loan, mortgage, etc. (if the provider used Equifax to check your credit score).

While Equifax was the victim of a cyber-attack, it is the one who controlled your personal information. Poor security processes allowed the breach to happen, so Equifax is responsible.

The Information Commissioner’s Office (ICO) investigation revealed multiple security failures at the credit reference agency. In response, Equifax was fined £500,000. However, the investigation was carried out under the Data Protection Act 1998 rather than the current General Data Protection Regulation (GDPR), and the £500,000 fine is the maximum allowed under the previous legislation. So it could be argued that Equifax got off lightly.

Unfortunately yes, cybercriminals could use the details stolen in the Equifax data breach to commit further harm (e.g. in phishing attempts). Because of this breach, many people have already experienced theft, fraud, and emotional distress.

The ICO investigators discovered that almost 15 million people in the UK had their names and dates of birth stolen. This included:

  • 9,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed.
  • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed.

More significantly, the ICO also discovered another data set (the GSC data set) which included 27,047 UK individuals. In this data set, the compromised information was account information for Equifax’s credit services. Of this group, 12,086 people had their email addresses compromised and 14,961 individuals had portions of their Equifax.co.uk membership details such as username, address, date of birth, plain text password, secret questions and answers, and partial credit card details accessed.

The ICO investigation, carried out in parallel with the Financial Conduct Authority, concluded that there had been multiple failures at the credit reference agency. For example,

  • Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
  • Measures which should have been in place to manage the personal data were found to be inadequate and ineffective.
  • There were significant problems with data retention meaning personal information was being retained for longer than necessary and vulnerable to unauthorised access.
  • The US Department of Homeland Security had warned Equifax Inc. about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched.

You can read the ICO’s findings in full here.