Consumer credit reporting agency Equifax has been fined £500,000 by the United Kingdom’s Information Commissioner’s Office (ICO) for failing to safeguard personal data when a cyber attack took place in 2017.
Private personal information of 15 million UK Equifax customers was obtained during a huge hack on its US parent company, Equifax Inc, during the time from 13 May and 30 July 2017. ICO discovered that Equifax’s UK office did not take acceptable steps to ensure its parent company in the United States, which processed this data, had ensured that the data was completely protected.
Information Commissioner Elizabeth Denham stated: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
The hack resulted in the theft of 146 million customers’ private information worldwide. Although the majority of the 15 million UK users affected only had their contact details stolen, it is thought that 30,000 individuals also lost their email addresses, and another 15,000 had some portion of credit card information obtained.
A statement released by Equifax UK commented: “Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty. As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. Data security and combating criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”
The £500,000 penalty that has been applied by ICO follows a 12-month long investigation completed by the Financial Conduct Authority (FCA).