The UK arm of credit reporting agency Equifax has been fined £500,000 by the Information Commissioner's Office for its failure to protect customers' private data during a breach into its systems in 2017.
Equifax announced that its systems had been penetrated by attackers unknown back in September 2017, though initially believed the breach to be limited to around 143 million of its US customers. Even as questions were raised regarding the timing of $1.8 million in stock sales made by three executives at the company after the breach was known internally but before it was made public, the bad news continued: The company confirmed that around 400,000 UK customers were also affected, a figure it would later revise to 15 million.
Such a significant breach was, naturally, brought to the attention of the UK's Information Commissioner's Office, and that organisation's investigation has now completed with the issuance of a £500,000 fine to Equifax UK.
'The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,' explains Information Commissioner Elizabeth Denham of the ruling. 'This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.'
The investigation found that Equifax's measures for management and protection of personal information were entirely inadequate and ineffective, finding 'significant problems with data retention, IT system patching, and audit procedures' and that the US Department of Homeland Security had warned the company's US arm of a serious vulnerability in March 2017 yet Equifax had not taken adequate precautions against its exploitation.
'Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress,' Commissioner Denham continues. 'Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.'
The timing of the breach and the ICO investigation, however, have saved the company a significantly larger penalty: The investigation was carried out under the terms of the Data Protection Act 1998, which allows for a maximum £500,000 fine regardless of the size of the company involved; since May this year, the Europe-wide General Data Protection Regulations (GDPR) increase the maximum possible penalty to the greater of £17.8 million or four percent of the company's turnover.