Credit rating agency Equifax has been hit with a £500,000 fine from the Information Commissioner’s Office (ICO) following its data breach last year, which saw the personal details of millions of people around the world compromised.
Around 146 million people were impacted by the cyber attack, which collected details including names, dates of birth and contact information. While the majority of those affected were in the US, it is estimated around 15 million people in the UK were also caught up in the incident.
An investigation by the ICO determined that Equifax’s UK arm, Equifax Ltd, failed to take appropriate steps to ensure its US parent – Equifax Inc – was adequately protecting the details of British citizens.
The regulator ruled that the company was in breach of five out of eight data protection principles of the Data Protection Act 1998, including failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
Its investigation found serious shortcomings with data retention, IT system patching, and audit procedures, while it also revealed that Equifax Inc had failed to heed a warning from the US Department of Homeland Security in March 2017 about a critical vulnerability in its system that, if patched, could have prevented the breach.
Information commissioner Elizabeth Denning said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.”
In this case, many of the victims would not even have been aware that Equifax was holding their personal information, so learning they were affected by the attack would have been unexpected and caused “particular distress”.
The £500,000 fine was the maximum penalty the ICO could have imposed under the 1998 Data Protection Act that was in force at the time of the breach. However, this has since been superseded by the EU’s General Data Protection Regulation, which includes the potential for much larger fines, so similar failings in future could see a much tougher response.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.