Equifax fined £500k for personal data failings

Written by Hannah McGrath

Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) after the data of 15 million Britons was left exposed by a massive cyberattack.

The data breach occurred over a three month period in 2017 and affected information belonging to 146 million people worldwide.

The consumer credit reporting agency stated that it collects and aggregates information on over 800 million consumers and more than 88 million businesses worldwide.

The majority of compromised systems were based in the US, however the ICO ruled that Equifax’s UK arm “failed to take appropriate steps” to protect the data of citizens in the UK.

Key findings included that personal information was stored for longer than necessary, which left consumer data vulnerable.

The ICO’s joint investigation with the Financial Conduct Authority found that the names, dates of birth, telephone numbers and driving licence numbers of 19,993 data subjects had been exposed; 637,40 names, dates of birth and telephone numbers were exposed; and up to 15 million names and dates of birth were exposed.

When the breach was first uncovered, Equifax reported that fewer than 400,000 peoples’ sensitive data had been exposed, but later clarified that the total amount was nearly 700,000.

In October the company said that a further 14.5 million records exposed would not have put people at risk.

The ICO’s report stated that Equifax has received warnings about vulnerabilities in its systems by the US Department of Homeland Security in March 2017.

The ICO was unable to use the terms of the EU General Data Protection Regulation (GDPR) - which came into force in May - to investigate the breach, and instead investigated under the terms of the UK Data Protection Act 1998, imposing he maximum fine of £500,000.

The financial penalty could have been much higher had the investigation taken place under GDPR, which carries a maximum fine of 20 million euros or four per cent of global turnover - whichever is highest.

Elizabeth Denham, the UK’s information commissioner, said: "The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.

"This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens' information wherever it is held."

In a statement, Equifax said they had received the ICO’s monetary penalty notice and were considering the detailed points made. It added: “Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

“The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”