[BreachExchange] Equifax fined by ICO over data breach that hit Britons

[Destry Winant]

https://www.bbc.com/news/uk-england-essex-45574163

Credit rating agency Equifax is to be fined £500,000 by the
Information Commissioner's Office (ICO) after it failed to protect the
personal data of 15 million Britons.

A 2017 cyber-attack exposed information belonging to 146 million
people around the world, mostly in the US.

The compromised systems were also US-based.

But the ICO ruled Equifax's UK branch had "failed to take appropriate
steps" to protect UK citizens' data.

It added that "multiple failures" meant personal information had been
kept longer than necessary and left vulnerable.

Originally, Equifax reported that fewer than 400,000 Britons had had
sensitive data exposed in the breach - but it later revealed that the
number was nearly 700,000.

A further 14.5 million British records exposed would not have put
people at risk, the company added last October.

The ICO, which joined forces with the Financial Conduct Authority to
investigate the breach, found that it affected three distinct groups
in the following ways:

19,993 UK data subjects had names, dates of birth, telephone numbers
and driving licence numbers exposed
637,430 UK data subjects had names, dates of birth and telephone numbers exposed
Up to 15 million UK data subjects had names and dates of birth exposed

Guard let down

Equifax had also been warned about a critical vulnerability in its
systems by the US Department of Homeland Security in March 2017, the
ICO revealed.

And appropriate steps to fix the vulnerability were not taken,
according to the ICO.

Because the breach happened before the launch of the EU's General Data
Protection Regulation (GDPR) in May this year, the investigation took
place under the UK's Data Protection Act 1998 instead.

And the fine of £500,000 is the highest possible under that law.

"The loss of personal information, particularly where there is the
potential for financial fraud, is not only upsetting to customers, it
undermines consumer trust in digital commerce," said information
commissioner Elizabeth Denham.

"This is compounded when the company is a global firm whose business
relies on personal data."

An Equifax spokesperson said the firm was "disappointed in the
findings and the penalty".

"As the ICO makes clear in its report, Equifax has successfully
implemented a broad range of measures to prevent the recurrence of
such criminal incidents and it acknowledges the strengthened
procedures which are now in effect.

"The criminal cyber-attack against our US parent company last year was
a pivotal moment for our company. We apologise again to any consumers
who were put at risk."