The UK’s Information Commissioner’s Office (ICO) has hit credit reference agency Equifax with a GB£500,000 fine for the 2017 data breach. Equivalent to US$660,000, the fine is the largest ever imposed by the ICO and is the maximum permitted under the legislation in force at the time. Under the newer GDPR laws, the fine could’ve been as high as $20 million.
The Equifax data breach involved the records of 146 million people, with nearly 15 mlllion being UK nationals. The ICO was scathing in its comments about Equifax, saying, “The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures. Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched.”
During the cyber attack last year, a range of personal information was taking including, names, dates of birth, addresses, passwords, driving licences and financial data.
The Information Commissioner herself, Elizabeth Denham, went on to say, “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”
Equifax’s approach to data protection and the care of our personal data was negligent, and frankly, I don’t think they deserve to be in business. The full judgement is here pdf.