Ian Whitehurst instructed on Equifax group action

September 21, 2018

Ian Whitehurst from Exchange Chambers has been instructed by data breach and cybercrime experts, Hayes Connor Solicitors, to advise on a group action to help victims of the Equifax data hack claim compensation.

The firm of online fraud and data protection solicitors is expecting an influx of queries from people whose data was put at risk by the credit reference agency. The group action is being initiated after Equifax was fined £500,000 by the Information Commissioner’s Office (ICO).

The ICO’s investigation was carried out under the Data Protection Act 1998 rather than the current General Data Protection Regulation (GDPR), and the £500,000 fine is the maximum allowed under the previous legislation.

The fine follows a 2017 cybersecurity incident which led to the loss of UK customer data held by Equifax Ltd on the servers of its US parent. Following the data breach, it was revealed that Equifax’s failure to patch a server flaw resulted in hackers potentially stealing 143 million US citizens’ data, and the personal details of up to 15 million Brits. This sensitive information included email addresses, passwords, driving license numbers and phone numbers.

Furthermore, while Equifax originally said that no UK passwords or financial information were stolen in the hack, it has since admitted that the passwords and partial credit card details of almost 15,000 UK customers were compromised.

The ICO investigation revealed multiple failures at the credit reference agency. For example, measures which should have been in place to manage the personal data were found to be inadequate and ineffective. Investigators also found significant problems with data retention, IT system patching and audit procedures.

Information commissioner Elizabeth Denham said Equifax showed a “series disregard” for its customers and their personal information.

Commenting on the decision to launch a group action against Equifax, Kingsley Hayes, managing director at Hayes Connor Solicitors said: “The sheer scale of the Equifax data breach means that millions of people across the UK are now at an increased risk of theft and identity fraud. So we welcome the news that the ICO is holding Equifax to account.

“However, while fines are an essential step in ensuring big businesses like Equifax do more to uphold their obligations and keep people safe, it does very little to help those already affected by the breach. As such, anyone who has suffered following the Equifax cyber-attack should be looking to claim compensation.

“Crucially, it doesn’t matter if you haven’t lost out financially as a result of the Equifax hack. Being the victim of a crime can have a significant impact on you mentally and physically. So, if the data breach has caused you stress or anxiety then the law agrees that you are entitled to compensation.

“Helping people to achieve the recompense they deserve, at Hayes Connor Solicitors we are helping victims who want to seek compensation through a group action. If you were affected, you could be entitled to up to several thousand pounds, so it’s important to act now.”

Equifax is the second largest credit reference agency in the UK and is used by a wide range of companies to decide whether to issue mortgages, loans, store cards, credit cards, etc. So, even if someone is not an Equifax customer, it could still hold a wealth of information about them.

Commenting on the case, Ian Whitehurst said: “Many Equifax customers have had their financial information stolen, and that can be devastating if it gets used by cybercriminals to carry out fraud or theft. But, in addition to this, much of the data stolen from Equifax is considered to be personally identifiable information. This means that the data can be used to identify a specific individual, and be manipulated to undertake identity fraud.

“We should all be very worried about what could happen if our personal data gets into the wrong hands. With enough information, cybercriminals can steal our identities, apply for credit in our name, set up fraudulent bank accounts and access our existing accounts. So, it is understandable that victims would want to seek compensation for Equifax’s failure to look after their information correctly, and the best way to do this is through a group action case.”