Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.
A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.
The compromised systems were also US-based.
But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.
It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.
A further 14.5 million British records exposed would not have put people at risk, the company added last October.
The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:
- 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
- 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
- Up to 15 million UK data subjects had names and dates of birth exposed
Guard let down
Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.
And appropriate steps to fix the vulnerability were not taken, according to the ICO.
Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.
And the fine of £500,000 is the highest possible under that law.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.
“This is compounded when the company is a global firm whose business relies on personal data.”
An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.
Chris Mallett, a cyber insurance expert with global insurer AON, said: “The size of the penalty imposed by the ICO on Equifax not only reflects the seriousness of the data breach, but may also signal an increasing willingness on the part of the ICO to show its teeth when it comes to data breaches.
Because the Equifax data breach occurred prior to the implementation of GDPR, the £500,000 fine is the highest monetary penalty the ICO could have imposed, and Equifax’s case is the first where the ICO has penalised an organisation to maximum extent possible in spite of Equifax stating that they have co-operated fully with the investigation and implemented a range of measures to minimise risk in future.
“Following implementation of GDPR, the maximum penalty the ICO can impose has increased from £500,000 to €20,000,000 (£17.7million) for any breaches that have occurred since 25 May this year, and the fine imposed against Equifax may indicate that the ICO won’t shy away from using the additional clout afforded to them under GDPR in future.
“It’s interesting to note that the ICO have chosen to impose the maximum fine possible on Equifax in the UK despite the breach originating in the US, and the ICO’s statement that they are ‘determined to look after UK citizens’ information wherever it is held’ highlights the need for all UK businesses to ensure personal data is protected even when data processing is carried out overseas or by a third party supplier.
It’s clear from the ICO’s judgement that businesses will need to take an active interest in ensuring that all parties who hold individual data have the necessary security arrangements in place, and this includes parties in territories that may not have the same level of legislation around data security.
GDPR applies worldwide to EU citizens’ data, and breaches resulting from branches or suppliers overseas will be treated exactly the same as those that occur in the UK.
“The Equifax data breach lasted from 13 May to 30 July 2017, and was characterised in part by a lack of clarity from Equifax on just how many individuals had been affected – Equifax initially stated that fewer than 400,000 individuals were affected in the UK, but this number was ultimately found to be much higher.
The ICO have specifically referenced the damage to consumer confidence caused by the Equifax breach, and this will no doubt have been influenced – at least in part – by the lack of clarity from Equifax immediately following the breach.
It’s a lesson to businesses of all sizes that having an effective plan in place to respond to a data breach can often be critical, with organisations that can quickly and effectively establish the exact number of clients affected and provide them with comprehensive information and advice likely to be viewed much more favourably by the ICO than those which, like Equifax, struggle to get a handle on a breach.”