Major credit reference agency Equifax Ltd has been fined £500,000 by the Information Commissioner’s Office for failing to adequately protect personal information

A leading data protection lawyer has said that Equifax Ltd, a major credit reference agency, is now likely to face significant number of claims for compensation after it was fined £500,000 by the Information Commissioner’s Office for failing to adequately protect the personal information of up to 15 million UK citizens following a cyber attack in 2017.

The cyber attack on the US parent company, Equifax Inc, occurred between 13 May and 30 July 2017 and affected 146 million customers globally.

In a report published today the ICO found that Equifax Ltd, the UK arm of the company, was responsible for the personal information of its UK customers and that it failed to take appropriate steps to ensure the American parent company was keeping this information safe.

The ICO report found multiple contraventions of the Data Protect Act 1998 by Equifax Ltd including a failure to take adequate steps to secure personal data, poor retention practices and lack of legal basis for international transfers of UK citizens’ data.

The precise information compromised varied between affected individuals but included names and dates of birth in all cases. In some cases it also included telephone numbers and driving licence numbers. In relation to 15,000 customers this also included the account information for Equifax’s credit services including username, password, secret question and answer, credit card number (obscured) and some payment amounts.

In the report, the ICO found that the data breach was likely to cause substantial damage and distress because many of those affected were not even aware that Equifax were processing their personal information, that the loss of information by a credit rating agency may have led those affected to believe that the data breach would affect their credit rating and that the hacked personal data could be exploited by fraudsters and others engaging in criminal activity.

Sean Humber, a data breach specialist at law firm Leigh Day, stated:

“It beggars belief that an organisation whose global business is actually based on handling personal data appears to have acted in such a cavalier way in relation to the safety of its operations.

“The seriousness of this breach, both in terms of the number of people affected and the potential for financial fraud as a result of the breach, is reflected in the fact that that Equifax Ltd has been fined the maximum amount possible under the legislation in place at the time of the incident.

“Completely separate from this fine, those affected by the data breach are likely to have claims for compensation against Equifax Ltd for failing to adequately protect their personal information. This would include not just claims by those suffering any financial loss but also claims by those suffering distress and inconvenience suffered as a result of the breach itself.”