ICO Slaps Equifax with Maximum Fine for the 2017 Data Breach
The Information Commissioner’s Office (ICO) has fined Equifax £500,000 for its 2017 data breach that affected 15 million Brits. A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.
Some of the compromised systems were also US-based.
But the ICO ruled Equifax’s UK branch stated that “Equifax failed to take appropriate steps” to protect UK citizens’ data.
It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
At the time of the breach, Equifax said that 14.5 million of the exposed records did not contain information that put Brits at risk since it dated from 2011 to 2016, but later admitted that sensitive information affecting almost 700,000 customers was accessed, including email addresses, passwords, driving license numbers, and phone numbers.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said Elizabeth Denham, Information Commissioner.
This is compounded when the company is a global firm whose business relies on personal data. The ICO revealed that Equifax had also been warned before by the US Department of Homeland Security in March 2017 about a critical vulnerability in its systems. Appropriate steps to fix the vulnerability were not taken, according to the ICO.
Equifax was not happy with the findings and penalty said the firm’s spokesperson. He further said that “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologize again to any consumers who were put at risk.”
Elizabeth Denham, Information Commissioner further said: “We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”