The Information Commissioner’s Office (ICO) has issued Equifax with the highest fine possible. This comes as a response to the credit reporting agency’s failings. These failings led to a major breach in 2017.
ICO Fines Equifax
The penalty, which is a costly £500,000, is only the second time the UK privacy watchdog has used the full extent of its powers. The fine comes after Equifax exposed data on 15 million UK customers due to a major incident.
Nearly 146 million customers around the world were affected by this breach, mainly in the US. The breach involved highly sensitive data, from Social Security numbers and tax IDs to driver’s licence numbers.
At the time, Equifax received criticism for failing to patch a known Apache Struts vulnerability. This vulnerability remained unpatched for several months. It was this flaw that could enable hackers to ultimately exploit to attack the firm.
The ICO carried out an investigation with the Financial Conduct Authority. They found that Equifax contravened 5 out of 8 data protection principle of the Data Protection Act 1998. These included: failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizen’s data. Data management systems were “inadequate and ineffective”. According to the ICO, there were issues with data retention, IT system patching and audit procedures.
The Information Commissioner, Elizabeth Denham, believed the incident would have caused particular distress to UK consumers. This is because they would not be aware that the firm has their personal data in the first place.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.
“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
It is certain that the fine would have been many times greater had Equifax been investigated under the new regime of GDPR.
Join us for IDM Europe
Join us in March 2019 for our upcoming 6th IDM Europe conference, where we discuss the full lifecycle deployment of Identity and Access Management (IAM) systems across industry and government. This must-attend event will bring together hundreds of IDM thought leaders and innovators across Europe and further afield to discuss and shape the future of secure, risk-driven IAM.