The European Union’s General Data Protection Regulation (GDPR) is the most significant shake up of information security for many years.

Despite the toughening of rules and the harsh treatment of companies by regulators and the media, some organisations with big budgets and extensive capability are continuing to exercise scant disregard for safeguarding the personal data of their customers.

News of the Equifax data leak emerged from the US, which saw the data of 143 million US citizens and, potentially, some 400,000 UK citizens compromised.

The US company said an investigation had revealed that a file containing UK consumer information “may potentially have been accessed”. The data includes names, dates of birth, email addresses and telephone numbers, but does not contain postal addresses, passwords or financial information.

The resignations of the chief information officer and chief security officer may have been pretty quick, but it didn’t stop dozens of US authorities at state level launching legal action against the firm.

This latest large-scale, big news information data security breach may have happened in the US, and may only affect a relatively small proportion of UK citizens. With GDPR now in place, here we consider how the breach would be treated under GDPR.

Equifax data security breach key facts

Although the timeline and the company’s reporting around it is questionable, here’s what is currently known:

  • Equifax is a US firm based in Atlanta with a UK subsidiary
  • Hacked webserver hosted complaint management software, a portal for online dispute
  • Server was unpatched against the CVE-2017-5638 Apache Struts vulnerability identified in March
  • 18th September, Bloomberg News reports Equifax had been the victim of a “major breach of its computer systems” in March 2017
  • Had begun “notifying a small number of outsiders and banking customers” about this attack in early March
  • Suspicious network traffic at the server identified on 29th July
  • Forensic review shows hackers had access to Equifax systems from 13th May to 30th July
  • Relates to a limited amount of UK data being stored in the US between 2011 and 2016

Treatment of the Equifax cyberattack under GDPR

It may well be the longest word in the English language but IF the Equifax cyber security breach had happened under GDPR, then the following rules would apply, shaping the response from the perspective of compliance and regulation.

No reporting delay

  • Common data breach notification requirement means organisations have to notify the local data protection authority of a data breach within 72 hours

Continual breach monitoring

  • The GDPR data breach notification rules are designed to ensure organisations constantly monitor for breaches of personal data

Need to prove consent

  • For all of the information held, the organisation would have to prove that it had clear and affirmative consent from each individual to process their data

Right to be forgotten

  • The organisations would have to justify long data retention periods because under GDPR they are not to hold data for any longer than necessary, and are not to change the use of the data from the purpose for which it was originally collected

Regulatory action

  • European data authorities, such as the UK ICO has the power to act against the US company over the breach, even though it has occurred in the US, fines for non-compliance of up to €20m or 4% of group annual global turnover could be enforced

It should also be noted that it is entirely possible, that IF the organisation implemented robust information security procedures and practice in line with GDPR, the breach may have been prevented in the first place…

Ensure GDPR compliance with Paralogic

GDPR entered force on 25th May 2018. All organisations and businesses are in scope and there are no quick fixes to compliance.

The best approach is a thorough assessment of where your business stands currently on its IT security arrangements, and then a plan to get to where it needs to be to meet the GDPR standard.

Take the first step to developing a clear plan of how to get to where you need to be to achieve compliance with the GDPR standard, simply get in touch with us today.

Click here to see more about the Equifax cybersecurity breach at


Why Paralogic has been named one of Britain’s 50 Best Managed IT Companies

2nd January 2020

For more than 20 years, Paralogic has been on the side of small business, providing IT support and services they can rely on. We’re thrilled, therefore, to be named among the best British MSPs, cementing…

Read More

Equifax security breach: What if it happened under GDPR?

9th October 2019

The European Union’s General Data Protection Regulation (GDPR) is the most significant shake up of information security for many years. Despite the toughening of rules and the harsh treatment of companies by regulators and the…

Read More