September 24, 2018
The ICO has issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017.
The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.
The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information. The ICO found, amongst other things, that the compromised personal information, which ranged from names and dates of birth to addresses, passwords, driving licence and financial details, had been retained for longer than necessary, making it vulnerable to unauthorised access.
The £500,000 fine was issued under the 1998 DPA as the breaches occurred before the new General Data Protection Regulation came into force. The fine is the maximum allowed under the 1998 DPA. The Information Commissioner, Elizabeth Denham, said that Equifax had been given the highest fine possible due to the number of victims, the type of data at risk and because it had “no excuse for failing to adhere to its own policies and controls as well as the law”.
It should be remembered that the maximum level of fine that the ICO can now issue under the GDPR is significantly higher than the maximum under the 1998 DPA: the ICO now has powers to fine companies up to 4% of turnover. To read the ICO’s press release in full and for a link to the monetary penalty notice, click here.