Credit reference giant Equifax has seen the hit with the maximum £500,000 fine for failing to protect the details of up to 15 million people in Britain during the infamous 2017 data breach.
The Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection, conducted an investigation into the breach and determined that Equifax has held on to consumers’ data longer than necessary, leaving it vulnerable to hackers.
While Equifax’s systems in the US were the ones targeted, the ICO investigation found that the credit reporting agency’s UK arm failed to take the appropriate measures to ensure consumers’ data was protected.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said Information Commissioner Elizabeth Denham.
Damningly, she added:
“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
The ICO conducted its investigation in line with the Data Protection Act of 1998 rather than the now-enforced GDPR rules since the incident took place before the latter came into effect, on May 25. Equifax is likely to have faced a far larger, multi-million pound fine under GDPR.
The probe, taken jointly with the Financial Conduct Authority (FCA), the UK’s financial regulator, also found significant problems with Equifax’s data retention, IT system patching and its auditing procedures.
For its part, Equifax said it was “disappointed in the findings and the penalty.”
“The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk,” an Equifax spokesman added.
Image credit: LIFARS archive.