The UK data regulator has fined Equifax Ltd, the UK arm of the US-based Equifax Inc, £500,000 for failing to protect the personal information of 15 million UK residents during a cyber-attack in 2017.
The attack occurred from 13 May to 30 July 2017 and resulted in the loss of records of some 146 million people worldwide. Equifax collected information on individuals as part of its credit checking service for businesses and many of the individuals in its dataset may not even have been aware the company had their information.
The attack triggered an investigation by the Information Commissioner’s Office (ICO) which found that even though the breach occurred in the US, Equifax Ltd was responsible for the personal information of its UK customers.
The ICO said that Equifax Ltd should have taken greater steps to ensure the American parent company was protecting the information which it was processing on behalf of the UK company.
The investigation was conducted with the Financial Conduct Authority which regulates the conduct of retail and wholesale financial services firms in the UK.
There were multiple failures at Equifax, the ICO said, with records being kept longer than necessary and being vulnerable to unauthorised access.
The fine was capped at £500,000 as the investigation was conducted under the Data Protection Act 1998 rather than the General Data Protection Regulation (GDPR) which came into force in May. Under GDPR, the Equifax Ltd could have been fined up to four percent of the global turnover of Equifax Inc.
According to the ICO, five out of eight data protection principles were violated by Equifax because of its failure to secure personal data, poor retention practices and lack of legal basis for international transfers of UK citizens’ data.
Peter Carlisle, head of EMEA at cloud and data security company Thales eSecurity, said the penalty for Equifax could have been far worse. "Despite receiving the highest possible fine under the previous data protection act, Equifax’s multiple failures to keep personal data safe could have resulted in a much more significant penalty, had it been investigated just a few months later with the GDPR in full force," he said.
"What was originally heralded as ‘a major step forward for consumer protection’ will also act as a necessary wake-up call for organisations that remain negligent about protecting customer information from cyber-attacks. It’s therefore vital for businesses to have complete visibility and control over exactly where their data resides, and adopt an encrypt-everything approach," he said.