The UK’s data protection regulator has issued Equifax with a £500,000 fine after it suffered one of the largest breaches in history.
Cyber criminals stole data on 146 million customers of the US credit rating agency between May and July last year. The data mostly related to Americans, but 15 million British customers were also affected and nearly 700,000 had sensitive personal data stolen.
The fine is the highest the Information Commissioner’s Office could issue under the data protection legislation in force at the time of the breach. If it had taken place a year later, Equifax could have been subjected to fines of up to 4 per cent of their annual global turnover under GDPR.
In its investigation, which was carried out in conjunction with the Financial Conduct Authority, the ICO found that while the data was held in the US, it was ultimately the responsibility of Equifax Ltd, the company’s British unit. Equifax claims it intended to store the British data in the UK, but that a “processor error” led to some being held in the US.
The ICO also found that Equifax had contravened five out of eight data protection principles of the Data Protection Act 1998, including failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
The company had been warned by the US Department for Homeland Security about a critical vulnerability in its system two months before the breach happened. But it had failed to take steps to fix the issue, according to the ICO’s report.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said the Information Commissioner Elizabeth Denham. “This is compounded when the company is a global firm whose business relies on personal data.”
“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
Equifax says it is investing £23m in its cyber defences in the UK in light of the attack. In a statement emailed to NS Tech, a spokesperson said the company was “disappointed in the findings and the penalty” and is “considering the detailed points made” in the ICO’s report.
“The criminal cyberattack against our US parent company last year was a pivotal moment for our company,” the spokesperson added. “We apologise again to any consumers who were put at risk.”