Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO)
Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.
A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.
The compromised systems were also US-based.
The ICO ruled out however that Equifax’s branch had “failed to take appropriate steps” to protect UK citizens’ data.
It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.
The company added last October that a further 14.5 million British records exposed would not have put people at risk.
The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:
- 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
- 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
- Up to 15 million UK data subjects had names and dates of birth exposed
The ICO also revealed that Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017 and appropriate steps to fix the vulnerability had not been taken.
Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.
The fine of £500,000 is the highest possible under that law.
Information Commissioner Elizabeth Denham said: "The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
"This is compounded when the company is a global firm whose business relies on personal data."
An Equifax representative said the firm was “disappointed in the findings and the penalty”.
The added: "As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
"The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk."Return to internet news headlines
View Internet News Archive