ICO Fines Equifax £500K After 2017 Breach
The £500,000 penalty is only the second time the UK privacy watchdog has used the full extent of its powers and comes after a major incident at the credit agency exposed data on 15 million UK customers.
The breach itself affected nearly 146m customers around the world, mainly in the US, and involved highly sensitive data including Social Security numbers, driver’s license numbers, tax IDs and much more.
Equifax was widely criticized at the time for failing to patch a known Apache Struts vulnerability for several months. It was this flaw that hackers ultimately exploited to attack the firm.
The ICO’s investigation, carried out with the Financial Conduct Authority, found that Equifax contravened five out of eight data protection principles of the Data Protection Act 1998. These included: failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.
Data management systems were “inadequate and ineffective” and there were issues with data retention, IT system patching, and audit procedures, the ICO claimed.
Information commissioner, Elizabeth Denham, said the incident would have caused many UK consumers particular distress because they would not have been aware that the firm even held their personal data.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.
“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
It’s certain that the fine would have been many times greater had Equifax been investigated under the new GDPR regime.
Source: Information Security Magazine