Equifax fined by ICO over data breach

The credit rating agency Equifax is being fined £500,000 after failing to protect personal data for over 15 million people in the UK.

The Information Commissioner’s Office (ICO) are taking action after a 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly US Equifax users.

Equifax’s UK branch was found to have “failed to take appropriate steps” when protecting citizen’s data, discovering that “multiple failures” to its system meant that personal information had been left vulnerable during the attack.

At the time Equifax reported that fewer than 400,000 had fallen victim to the breach’s exposed, but the number turned out to be nearer 700,000. The ICO joined forces with the Financial Conduct Authority to investigate the breach and found that it affected three specific groups:

  1. Exposure of 19,992 UK names, dates of birth, telephone numbers and driving licence numbers.
  2. Exposure of 637,430 UK names, dates of birth and telephone numbers
  3. Exposure of up to 15 million UK names and dates of birth

The breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May of this year, so the investigation fell into the UK’s Data Protection Act of 1998 instead. The fine of £500,000 is the highest possible fine under that particular law.

A spokesperson from Equifax said: “Equifax was disappointed in the findings and the penalty. As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

If you’re worried about GDPR, effective data protection and storage or are looking for some professional advice, speak to one of our SCS experts and we’ll be happy to help – 0800 9520652.