Equifax fined £500,000 over customer data breach

If the security incident had taken place after GDPR came into play, the fine may have been far higher.
Written by Charlie Osborne, Contributing Writer

Equifax has been issued a £500,000 fine after a catastrophic data breach in 2017 led to the compromise of data belonging to up to 15 million UK citizens.

The credit monitoring service experienced a data breach last year in which 146 million records were stolen. Customers worldwide were affected, with the majority living in the United States.

The information exposed due to lax security practices included names, dates of birth, addresses, phone numbers, driver's license details, Social Security numbers, and credit card data.

Equifax blamed a vulnerability in the Apache Struts framework for the cyberattack. However, a patch had been readily available to resolve the flaw, CVE-2017-5638, which was not applied in a reasonable time to the firm's systems.

Read on: Critical remote code execution flaw in Apache Struts exposes the enterprise to attack | Equifax ex-chief admits responsibility 'starts at the top' for devastating data breach

The UK's Information Commissioner's Office (ICO) has imposed the fine following an investigation into the breach.

While the security incident affected far more US citizens, the inclusion of 15 million UK citizens in the data leak forced the agency to act -- even if the systems at the heart of the problem are based in the United States.

CNET: Symantec takes on election hacking by fighting copycat websites

"Equifax was responsible for the personal information of its UK customers," the ICO said. "The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax, which was processing the data on its behalf, was protecting the information."

TechRepublic: The 5 biggest blockchain myths, debunked

An investigation, conducted with the help of the Financial Conduct Authority (FCA), concluded that Equifax failed on "five out of eight" data principles under the Data Protection Act 1998.

According to the UK watchdog, under UK legislation, Equifax failed to secure personal data, and also implemented poor retention practices. The ICO also said there was also a "lack of legal basis for [the] international transfers of UK citizens' data."

An Equifax spokesperson told ZDNet:

"We have received the Monetary Penalty Notice from the Information Commissioner's Office (ICO) on Wednesday afternoon and are considering the detailed points made.

Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologize again to any consumers who were put at risk."

See also: The Dark Web: How much is your bank account worth?

The fine imposed is the maximum allowed under the Data Protection Act. However, the European Commission's General Data Protection Regulation (GDPR) came into force this year, and so any data breaches occurring after May 25th, 2018, will potentially result in more dire consequences.

The fine is a drop in the bucket for the credit report agency, which has already spent close to $250 million due to the security incident.

"Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it," Elizabeth Denham, Information Commissioner said. "Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers' expectations. Equifax showed a serious disregard for their customers and the personal information entrusted to them, and that led to today's fine."

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards