Equifax hit with maximum £500,000 fine after massive security breach

The Equifax logo being viewed under a magnifying glass

The Information Commissioner's Office (ICO) has fined Equifax 500,000 for failing to protect millions of UK citizens' personal data during a cyber attack last year.

Contact information, email addresses and credit card information of 15 million UK Equifax customers were compromised in a massive hack on its US parent company, Equifax Inc, between 13 May and 30 July 2017.

Although systems in the US were targeted, the ICO found the credit agency's UK arm failed to take appropriate steps to ensure its parent firm, which processed this data on its behalf, had protected the information.

"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce," said Information Commissioner Elizabeth Denham.

"This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens' information wherever it is held.

"Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law."

The hack led to the theft of 146 million customers' data from around the world. Although the vast majority of the 15 million UK users affected only had their contact information stolen, it is thought 30,000 also lost their email addresses, and a further 15,000 had partial credit card information stolen.

Equifax received the ICO's Monetary Penalty Notice on Wednesday, and are considering the points made in the document, a spokesperson confirmed. It also once again apologised for the incident.

"Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty," a spokesperson from its UK arm said.

"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

"Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority."

The 500,000 fine is the culmination of up to a year's long investigation the ICO has been conducting in tandem with the Financial Conduct Authority (FCA).

It has been adjudicated under the Data Protection Act 1998 (DPA), as opposed to the EU's General Data Protection Regulation (GDPR), since the cyber attack occurred before the new laws came into force on 25 May.

The joint probe revealed multiple failures at the credit agency, including that data was retained longer than necessary, and that personal information was vulnerable to unauthorized access.

Investigators also found significant problems with data retention, IT system patching, and its auditing procedures. The US Department of Homeland Security, moreover, had warned its parent firm about a critical vulnerability as far back as March 2017. Steps to address this vulnerability were not taken, and a user-facing portal was not appropriately patched.

"Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress," Ms Denham added.

"Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers' expectations.

Denham added that Equifax showed "serious disregard" for their customers and the personal information that it held.

This massive penalty follows the ICO's intent to fine Facebook 500,000 in light of the Cambridge Analytica scandal, with notice issued in July.

However, an ICO spokesperson confirmed the regulator has yet to issue the fine itself, having until January to do so. This means Equifax Ltd becomes the first company to be fined the maximum permitted under the DPA.

Telecoms firm TalkTalk was fined 400,000 in 2016 for a data breach involving over 150,000 customers, and then 100,000 after the discovery of a second hack that occurred earlier in 2014, and therefore collectively has faced similar financial penalties.

Although GDPR has been in force for nearly four months, the ICO has yet to conclude any of its ongoing investigations into breaches of the new legislation.

This includes the breach onTicketmaster's systems in late June, which could be a litmus test for how the ICO will regulate organisations under GDPR. British Airways could potentially face a 500 million fine, though this would be the maximum.

While the maximum fine under the DPA 1998 is 500,000, breaches of GDPR could see organisations hit with a penalty of up to 17 million, or 4% of an organisation's annual turnover, whichever is higher.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.