Equifax data hack fine – does more still need to be done?

equifax data hack compensation

The Investigation into the Equifax data result in a financial penalty of £500,000.

However, the investigation was carried out under the Data Protection Act 1998 rather than the current General Data Protection Regulation (GDPR), and the £500,000 fine is the maximum allowed under the previous legislation. So it could be argued that Equifax got off lightly.

The Equifax data hack investigation

The Equifax data breach compromised the personal information of million customers as hackers gained access to its systems. As a result, 30,000 people had their email addresses stolen and 15,000 had their credit card details put at risk.

The potential consequences of the breach include financial fraud, identify fraud, cyber-extortion and online harassment.

The Information Commissioner’s Office (ICO) investigation was carried out in parallel with the Financial Conduct Authority (FCA). While the FCA does not typically disclose whether it is looking into a company, it said it had chosen to confirm the existence of an investigation given the “public interest” in the case.

The investigation revealed multiple failures at the credit reference agency. For example:

  • Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data
  • Measures which should have been in place to manage the personal data were found to be inadequate and ineffective
  • There were significant problems with data retention meaning personal information was being retained for longer than necessary and vulnerable to unauthorised access
  • The US Department of Homeland Security had warned Equifax Inc. about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched.


While Equifax was the victim of a cyber-attack, it was responsible for protecting your personal information. But, despite the ICO’s investigation finding Equifax to blame for this appalling data protection failure, the ICO does not award data breach compensation.

So, while the fine is an essential step in ensuring big businesses like Equifax do more to uphold their obligations and keep people safe, it does very little to help those already affected by the breach. As such, anyone who has suffered following the Equifax cyber-attack should be looking to claim compensation.


In this case, along with the financial info stolen, the hackers also gained access to personally identifiable information (PII). PII includes any data that can be used to identify a specific individual, and, if it gets into the wrong hands, it can be used to undertake identity fraud.  For example, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

Signs that criminals have used your data following the Equifax data breach include:

  • Bills or emails showing goods or services you haven’t ordered
  • Unfamiliar transactions from your account
  • An unexpected dip in your credit score
  • Unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.

What should you do now?

At Hayes Connor Solicitors, our data breach solicitors are helping victims of the Equifax data hack to claim compensation and get the payment they deserve. In fact, since the breach, our data breach and cybercrime experts have witnessed an influx of queries from people who are concerned that their data may be at risk.

As a result we have launched a group action against Equifax.

Crucially, it doesn’t matter if you haven’t lost out financially as a result of the Equifax hack. Being the victim of a crime can have a significant impact on you mentally and physically. So, if the data breach has caused you stress or anxiety then the law agrees that you are entitled to compensation.

Why join our multi-party action?

Multi party actions give our clients more power against big businesses. This is because a group of people who have suffered the same or similar injuries due to the negligence of the same defendant (in this case Equifax) join together to claim for compensation. In short, it gives us strength in numbers.

Data breaches often have severe consequences for those affected so you could be entitled to significant compensation. Making a claim is simple and doing so sends a message to organisations everywhere that they must do more to protect their customers from identity and financial theft, and emotional distress.


We are also providing no-win, no-fee funding arrangements in this case, and, if successful, we won’t charge a “success fee”. This means, if you are awarded £1,500, you will get all of the compensation. There are no solicitor’s fees win or lose.

Let our data breach solicitors help you

To become part of the Equifax group action, you will need to register with Hayes Connor Solicitors. Doing this guarantees that you will form part of the compensation claims that will be lodged by the firm. While each case is different, it is expected that each person will be able to claim up to £2,500 (possibly even more for people who have had their financial data stolen).

If you have been affected and want to join the group action, you can register your details here.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply