The Information Commissioner's Office today announced it has levied a fine of £500,000 on U.S. credit reference agency Equifax for failing to safeguard personal details of up to 15 million UK citizens which were compromised after the company suffered a massive data breach that compromised personal details of up to 146 million people globally.
Even though millions of British citizens were affected by the data breach, the fine imposed on Equifax was limited to £500,000 as it was the maximum permissible penalty under the Data Protection Law 1998. The Information Commissioner's Office had also fined Facebook a similar amount earlier this year for failing to prevent data analytics firms from harvesting personal details of millions of users.
The Equifax data breach, which took place between May and July last year, resulted in the leakage of sensitive personal data of millions of people from across the globe. Even though the agency initially announced that the breach had affected fewer than 400,000 UK consumers, it later clarified that driving license numbers, Equifax usernames, passwords, email addresses and partial credit card details of 693,665 Britons and phone numbers of a further 167,431 Britons were compromised during the incident.
Following the announcement of the breach, Equifax committed to help affected UK customers by offering free social media monitoring alerts so that they were made aware of any publically available information about them. At the same time, Equifax said it would offer the affected people links to services provided by other UK regulated organisations which could help them protect their identities.
"We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward,” said Patricio Remon, President at Equifax Ltd.
Equifax data breach affected up to 15m Brits
According to a statement issued by the Information Commissioner's Office earlier today, personal information of up to 15 million UK citizens were compromised by the Equifax data breach and such information ranged from names and dates of birth to addresses, passwords, driving licence and financial details.
"The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures. Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched," it said.
"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data," said Information Commissioner Elizabeth Denham.
"We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.
"Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress.
"Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine," she added.