Credit rating agency Equifax has been hit with a £500,000 fine from the Information Commissioner’s Office (ICO) following its data breach last year, which saw the personal details of millions of people around the world compromised.
Around 146 million people were impacted by the cyber attack, which collected details including names, dates of birth and contact information. While the majority of those affected were in the US, it is estimated around 15 million people in the UK were also caught up in the incident.
An investigation by the ICO determined that Equifax’s UK arm, Equifax Ltd, failed to take appropriate steps to ensure its US parent – Equifax Inc – was adequately protecting the details of British citizens.
The regulator ruled that the company was in breach of five out of eight data protection principles of the Data Protection Act 1998, including failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
Its investigation found serious shortcomings with data retention, IT system patching, and audit procedures, while it also revealed that Equifax Inc had failed to heed a warning from the US Department of Homeland Security in March 2017 about a critical vulnerability in its system that, if patched, could have prevented the breach.
Information commissioner Elizabeth Denning said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.”
In this case, many of the victims would not even have been aware that Equifax was holding their personal information, so learning they were affected by the attack would have been unexpected and caused “particular distress”.
The £500,000 fine was the maximum penalty the ICO could have imposed under the 1998 Data Protection Act that was in force at the time of the breach. However, this has since been superseded by the EU’s General Data Protection Regulation, which includes the potential for much larger fines, so similar failings in future could see a much tougher response.