Equifax fined £500k for personal data failings

Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) after the data of 15 million Britons was left exposed by a massive cyberattack.

The data breach occurred over a three month period in 2017 and affected information belonging to 146 million people worldwide.

The consumer credit reporting agency stated that it collects and aggregates information on over 800 million consumers and more than 88 million businesses worldwide.

The majority of compromised systems were based in the US, however the ICO ruled that Equifax’s UK arm “failed to take appropriate steps” to protect the data of citizens in the UK.

Key findings included that personal information was stored for longer than necessary, which left consumer data vulnerable.

The ICO’s joint investigation with the Financial Conduct Authority found that the names, dates of birth, telephone numbers and driving licence numbers of 19,993 data subjects had been exposed; 637,40 names, dates of birth and telephone numbers were exposed; and up to 15 million names and dates of birth were exposed.

When the breach was first uncovered, Equifax reported that fewer than 400,000 peoples’ sensitive data had been exposed, but later clarified that the total amount was nearly 700,000.

In October the company said that a further 14.5 million records exposed would not have put people at risk.

The ICO’s report stated that Equifax has received warnings about vulnerabilities in its systems by the US Department of Homeland Security in March 2017.

The ICO was unable to use the terms of the EU General Data Protection Regulation (GDPR) - which came into force in May - to investigate the breach, and instead investigated under the terms of the UK Data Protection Act 1998, imposing he maximum fine of £500,000.

The financial penalty could have been much higher had the investigation taken place under GDPR, which carries a maximum fine of 20 million euros or four per cent of global turnover - whichever is highest.

Elizabeth Denham, the UK’s information commissioner, said: "The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.

"This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens' information wherever it is held."

In a statement, Equifax said they had received the ICO’s monetary penalty notice and were considering the detailed points made. It added: “Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

“The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

    Share Story:

Recent Stories


Bringing Teams to the table – Adding value by integrating Microsoft Teams with business applications
A decade ago, the idea of digital collaboration started and ended with sending documents over email. Some organisations would have portals for sharing content or simplistic IM apps, but the ways that we communicated online were still largely primitive.

Automating CX: How are businesses using AI to meet customer expectations?
Virtual agents are set to supplant the traditional chatbot and their use cases are evolving at pace, with many organisations deploying new AI technologies to meet rising customer demand for self-service and real-time interactions.