Chattertons Solicitors Banner Image
News and Events


  • Posted

Credit reference agency, Equifax Limited, have been fined £500,000 by the Information Commissioner’s Office for failing to protect the personal data of up to 15 million UK customers during a 2017 cyber-attack.

Have you read our previous article on the IICSA being fined £200,000 for an e-mail data breach?

The facts

In the United States, between 13 May and 30 July 2017, Equifax Inc (Equifax US) suffered a data breach which affected 146 million customers globally – of this, up to 15 million were UK customers.

So what do Equifax Limited (Equifax UK), a UK-based company, have to do with a breach that happened in the United States?

Simply, Equifax UK are the UK arm of the company and Equifax US processed the data Equifax UK held on its UK customers. Equifax UK were found responsible for the personal data held on its UK customers.

Personal data in this instance included:

  • names and dates of birth;
  • financial details; and
  • addresses and telephone numbers.

Equifax UK were found to have failed to ensure that Equifax US protected UK customers’ personal data adequately.

Alarmingly, it was found that there were problems with data retention, IT system patching and audit procedures. This comes in light of Equifax US being warned by the United States Department for Homeland Security about the vulnerability of its systems in March 2017!

Surely things do not get worse? Well, a Data Processing Agreement between Equifax UK and Equifax US was also found to be inadequate as it failed to provide safeguards / security requirements.

Despite having contractual permission to do so, Equifax UK did not carry out appropriate audits / checks of Equifax US.

Why only a £500,000 fine?

With up to 15 million UK customers’ personal data being affected, £500,000 seems rather lenient on an organisation such as Equifax UK. However, as the date of the breach (between 13 May and 30 July 2017) occurred before the Data Protection Act 2018 (DPA 2018) came into force (25 May 2018), the provisions of the Data Protection Act 1998 (DPA 1998) applied.

Under DPA 1998, £500,000 is the maximum fine allowed. If the data breach had occurred on or after 25 May 2018, Equifax UK could have been subject to fines under section 83 of the DPA 2018 which defines the “higher maximum amount” as up to £17 million or 4% of total annual worldwide turnover, whichever is higher.

With the maximum fine being served on Equifax UK in this case, they must be relieved that the data breach did not occur under the new legislation!

Nevertheless, we may soon get an insight into the serious fines capable of being handed out under the DPA 2018 following the recent data breaches by Dixons Carphone and British Airways. They are certainly ones to watch!

What can Chattertons do for you?

We offer a full, tailored and holistic service to our clients and as such we have a number of Solicitors/specialists who can advise in relation to data protection and GDPR matters.

If you would like any further details in relation to data protection and GDPR compliance or if you would like to discuss your specific needs and requirements, please contact your most convenient office or complete our online enquiry form on the right hand side of this page or, if you would prefer, contact a team member directly