Equifax fined £500000 for 2017 Customer Security Breach

Marco Green
September 22, 2018

In its statement, the Information Commissioner's Office (ICO) stated that it found that although Equifax systems in the United States were compromised, Equifax Ltd was responsible for the personal information of its customers in Britain.

The UK fined Equifax £500,000 ($660,000) on Thursday for failing to protect the personal data of up to 15 million citizens in the 2017 cyberattack.

Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

Ofri Ben-Porat, CEO and co-founder, Pixoneye, commented: "This is a prime example of the limitations and the lack of power the ICO had before GDPR when it comes to deterring companies from adopting inadequate security policies". The company also failed to obtain users' consent for doing so, telling the ICO this would have created a security risk.

"Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it", Elizabeth Denham, Information Commissioner said.

Equifax first disclosed in September 2017 that it had been the target of a massive data breach, mostly in the United States. Instead, it was subject to the U.K.'s 1998 Data Privacy Act. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($12 million) or 2 percent of annual global revenue (see GDPR Effect: Data Protection Complaints Spike).

The ICO's inquiry, carried out in parallel with the Financial Conduct Authority, also exposed numerous failures by the firm which led to personal information being held for longer than necessary and vulnerable to unauthorised access.

15 million individuals' name and date of birth.

Telecoms firm TalkTalk was fined £400,000 in 2016 for a data breach involving over 150,000 customers, and then £100,000 after the discovery of a second hack that occurred earlier in 2014, and therefore collectively has faced similar financial penalties.

The ICO says that with its GCS dataset, Equifax was failing to follow its own cryptographic standards, which required that all passwords be stored in "encrypted, hashed, masked, tokenized" or another approved form.

Equifax was widely criticized at the time for failing to patch a known Apache Struts vulnerability for several months. The GAO report says Equifax only discovered the unpatched system thanks to a network security tool that was created to scan encrypted traffic for signs of malicious activity. But Equifax had failed to renew a digital certificate required for the tool to function. "Many companies and organisations have increased their use of cloud-based services to store customer data, but many still have little visibility into how and where their critical business data is used". The breach slashed a third off the company's share price in one week after hackers accessed the sensitive personal information by exploiting a previously identified software vulnerability between May and July 2017.

Other reports by Click Lancashire

Discuss This Article