Equifax, the credit rating agency, has been fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.
In 2017 a cyber-attack exposed information belonging to 146 million people around the world, mainly in the US. However, the ICO ruled Equifax’s UK branch had failed to take appropriate steps to protect UK citizens’ data. Multiple failures had meant that personal information had been kept longer than necessary and left vulnerable.
Originally, Equifax had reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but was later revealed that actually nearly 700,000 people had been affected. The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:
- 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
- 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
- Up to 15 million UK data subjects had names and dates of birth exposed
Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, but the appropriate steps to fix the vulnerability were not taken, according to the ICO.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.
“This is compounded when the company is a global firm whose business relies on personal data.”
An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”, but apologised to customers. They went on to say that Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
www.bbc.co.uk/technews (20th September 2018)