Ryan Dunleavy, Head of Media Disputes, comments in Global Data Review’s report on Equifax’s “wide-ranging attack against an English lawsuit seeking to hold it accountable for its high-profile data breach”.

Equifax Limited is being sued in the High Court by representative claimant Richard Atkinson on behalf of an opt-out class of approximately 15 million allegedly affected individuals.

Ryan comments that the defence detailed in court documents is “aggressive” and “very detailed”, reflecting the fact that there are many undecided points that the media and communications courts are going to have to make rulings upon in the near future for these types of cases. He also discusses the relevance of “threshold of seriousness” and “triviality” points that have been raised in Equifax’s defence. In addition, Ryan comments on Equifax’s attempt to challenge aspects of the Court of Appeal’s October 2019 decision in the data privacy class action of Lloyd v Google before that case has been considered by the Supreme Court.

To read the full Global Data Review article, “Equifax fights UK opt-out class action”, please click here. Global Data Review has authorised Stewarts to reproduce the article in PDF form.


A data breach took place in the summer of 2017 of information held by Equifax Limited’s parent company in the US, Equifax Inc. The Federal Trade Commission (FTC) in the US alleged that among the stolen information, the hackers copied around 147 million names and dates of birth, about 145.5 million social security numbers and a total of 209,000 payment card numbers and expiration dates.

The FTC stated that Equifax had been warned in March 2017 that one of its databases, the Equifax Automated Consumer Interview System, suffered from a critical vulnerability.

The FTC alleged that Equifax Inc’s security team ordered that the vulnerable systems be patched within 48 hours after being informed of the discovery. But the FTC said that Equifax Inc failed to check whether this had been carried out and that this failure meant that hackers could exploit the flaw and steal consumers’ personal details over several months.

In the UK class action, Mr Atkinson’s case is that data held on individuals in the UK was controlled by Equifax Limited, and was processed by Equifax Inc in its capacity as a data processor.

It was reported in July 2019 that Equifax Inc had agreed to pay up to $700m as part of a settlement in the US.

In September 2018, the UK’s Information Commissioner’s Office (ICO) reported that it had issued Equifax Limited with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during the cyberattack in 2017. The ICO said that although data systems in the US were compromised, it was Equifax Limited in the UK that was responsible for the personal information of UK customers. A copy of the ICO’s Monetary Penalty Notice is here.

The original Global Data Review article, first published on 19 December 2019, can be viewed here (subscription required).