In the UK consumer credit reporting agency Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) for failing to safeguard millions of UK citizens’ personal data when a cyber attack happened in 2017.
Private personal information of 15 million UK Equifax customers was accessed during a massive hack on its US parent company, Equifax Inc, during the time period between 13 May and 30 July 2017. ICO discovered that Equifax’s UK office did not take proper steps to ensure its parent firm in the United States, which processed this data, had ensured that the information was completely safe.
Information Commissioner Elizabeth Denham said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
The cyber attack led to the theft of 146 million customers’ private information globally. Although most of the 15 million UK users impacted only had their contact details stolen, it is believed that 30,000 individuals also lost their email addresses, and an additional 15,000 had some portion of credit card information taken.
A statement issued by Equifax UK said: “Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty. As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. Data security and combating criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”
The £500,000 fine that has been applied by ICO is the culmination of a 12-month long investigation completed working with the Financial Conduct Authority (FCA).