Equifax will be fined £500,000 by the Information Commissioner’s Office (ICO) following its failure to protect the personal data of 15 million Britons when a cyber attack in 2017 exposed information belonging to 146 million people across the globe.
Despite the compromised systems being based in the US, the ICO ruled that Equifax’s UK branch didn’t take proper steps to protect UK citizens’ data.
The ICO’s inquiry, carried out in parallel with the Financial Conduct Authority, also exposed numerous failures by the firm which led to personal information being held for longer than necessary and vulnerable to unauthorised access.
>See also: What constitutes an ICO fine?
Elizabeth Denham, Information Commissioner, said: “Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”
Ofri Ben-Porat, CEO and co-founder, Pixoneye, commented: “This is a prime example of the limitations and the lack of power the ICO had before GDPR when it comes to deterring companies from adopting inadequate security policies. If the breach had happened now, the ICO could charge Equifax up to €20 million, or 4% annual global turnover.”
“Equifax is incredibly fortunate this time around, but others won’t be. This should hopefully be a strong deterrent against inadequate security policies as companies should be making the personal data of customers their number one priority. Storing sensitive data in the cloud doesn’t always guarantee its safety, we’ve seen this with a number of data breaches involving large companies in the past couple of weeks. Many companies and organisations have increased their use of cloud-based services to store customer data, but many still have little visibility into how and where their critical business data is used.”
“It’s no secret that maintaining complete control over business data is a significant challenge, but with customers’ personal data at stake, the security of that personal data should be a company’s number one concern.”
An Equifax spokesperson said: “Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.”
“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.”
“The criminal cyber attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”
“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”