← All breach guides

Equifax data breach — exercise your GDPR rights

In 2017, Equifax — one of the three largest credit reference agencies — suffered one of the most damaging data breaches in history, exposing the financial and personal data of 147.9 million Americans and 15.2 million UK residents. Credit reference agencies hold especially sensitive data because it is used by banks, landlords, and employers to make decisions about you. The UK ICO fined Equifax £500,000 — the maximum fine possible under the pre-GDPR Data Protection Act 1998.

⚖️ Regulatory action: The UK ICO fined Equifax Ltd £500,000 in September 2018 under the Data Protection Act 1998 — the maximum possible before GDPR. The US FTC, CFPB, and 50 state attorneys general reached a settlement of up to $700 million with Equifax Inc. in 2019.

What happened

2017 15.2 million UK residents; 147.9 million total affected

Attackers exploited an unpatched Apache Struts vulnerability in Equifax's US systems between May and July 2017, exfiltrating extensive personal and financial data. The breach was not discovered until July 2017 and not publicly disclosed until September 2017. UK data had been stored on Equifax's US servers in breach of data transfer rules. The ICO found Equifax failed to implement adequate security measures and retained UK consumer data in the US beyond its intended retention period.

Data exposed:
  • Full names
  • Dates of birth
  • Addresses (current and historical)
  • Phone numbers
  • Email addresses
  • National Insurance numbers (UK)
  • Social Security numbers (US)
  • Driver's licence numbers
  • Credit card numbers and expiry dates
  • Credit score and account history

What you can do

If you are a UK resident who has ever held a credit card, loan, or utility account, Equifax almost certainly holds detailed data about you — and that data was exposed in the 2017 breach. A GDPR subject access request to Equifax Limited will reveal exactly what credit, financial, and personal data they hold, how long they retain it, and who they share it with.

You have two key rights under GDPR:

Note: For UK residents, the relevant controller is Equifax Limited. Address your GDPR request to: Data Protection Officer, Equifax Limited, PO Box 10036, Leicester, LE3 4FS, UK. Privacy portal ↗

Generate your access request

This letter is pre-addressed to Equifax Limited, the official EU data controller for Equifax.

To: Equifax Limited
PO Box 10036, Leicester, LE3 4FS, United Kingdom

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: