The Information Commissioners Office (ICO) has hit credit agency Equifax with a £500,000 fine for not protecting the personal data of 15 million UK customers.
Last year, the company’s US operation was attacked by cyber criminals between mid-May and the end of July, with about 146 million customers affected globally.
The ICO said that although the breach was in the US, Equifax was responsible for the personal information of its 15 million UK customers, and that the UK arm should have taken steps to ensure its American parent was protecting the information about the UK customers it was processing for the UK operation.
The personal information lost or compromised included names and dates of birth to addresses, passwords, driving licence and financial details.
The ICO investigation was carried out under the Data Protection Act 1998, rather than the current GDPR, because the failings happened before GDPR was introduced. Equifax’s failures included not securing personal data, poor data retention practices and lack of legal basis for international transfers of UK citizens’ data.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said Information Commissioner Elizabeth Denham. “This is compounded when the company is a global firm whose business relies on personal data.”
“We are determined to look after UK citizens’ information wherever it is held.”
Read more about the Equifax breach
- Heads roll as Equifax reveals 400,000 Britons affected by breach.
- Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems.
- Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
- While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.
The fine was the highest possible under the 1998 law.
The ICO investigation revealed problems with data retention, IT system patching and audit procedures. “Our investigation also found that the US Department of Homeland Security had warned Equifax about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken, meaning a consumer-facing portal was not appropriately patched.”
Last week, the US Government Accountability Office published a report on the breach, which was discovered by Equifax in July 2017.
“Equifax’s investigation of the breach identified four major factors, including identification, detection, segmenting of access to databases and data governance, that allowed the attacker to successfully gain access to its network and extract information from databases containing personally identifiable information,” the report said.