Yahoo Finance Equifax fined £500,000 for data breach of 15m UK customers
Equifax has been slapped with a £500,000 fine by Britain’s data watchdog for failing to protect 15m people whose personal details were stolen in a cyber-attack last year.
The Information Commissioner’s Office (ICO) issued the penalty after a cyber attack that hit Equifax in the US in May 2017, which affected 146m consumers globally.
Equifax is one of the world's three biggest credit agencies. Founded in 1899 and based in Atlanta, Georgia, it collects data on 800mn consumers and 88mn businesses worldwide.
The cyber attack between May 13 and July 30 last year came despite prior warning from the US government that the company's data was vulnerable. Hackers stole personal information including names, dates of birth, addresses, passwords, driving licence and financial details.
The ICO's investigation found the British arm of Equifax had failed to take appropriate steps to ensure that it was protecting the personal information held on UK customers.
The ICO probe found the US government had warned Equifax about a “critical vulnerability” in the company's cyber-security systems as recently as March 2017. However, the steps needed to rectify the problem were not taken.
The ICO investigation was carried out with help from with the Financial Conduct Authority.
The £500,000 fine is the maximum the ICO could issue at the time under the Data Protection Act 1998.
New rules introduced in May of this year under the General Data Protection Regulation (GDPR) allow the ICO to impose fines of up to £17m or 4 per cent of global turnover.
Elizabeth Denham, Information Commissioner said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.
“We are determined to look after UK citizens’ information wherever it is held. Equifax has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
An Equifax spokespermen said: “We have received the Monetary Penalty Notice from the Information Commissioner’s Office (ICO) on Wednesday afternoon and are considering the detailed points made. Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.
“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.
“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”
