The Information Commissioner’s Office (ICO) has issued a £500,000 fine on Equifax after an investigation into the 2017 data breach was launched.
The fine on the Credit reference agency was meted out for failing to protect 15m people whose personal details were stolen in a cyber-attack that hit Equifax in the US in May 2017.
Sadly, the breach affected 146 million customers globally, with a majority living in the United States. Even though the security breach affected more U.S. citizens than those in the UK, the inclusion of 15 million UK citizens in the hack compelled the agency to act—even though the systems at the heart of the problem are U.S based.
According to ICO:
“Equifax was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax, which was processing the data on its behalf, was protecting the information.”
Information commissioner Elizabeth Denham, while commenting on the fine, said:
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce This is compounded when the company is a global firm whose business relies on personal data We are determined to look after UK citizens’ information wherever it is held.”
Equifax faulted a vulnerability in their Apache Struts framework for the hack. Although a patch had been readily available to correct the error, CVE-2017-5638, it was not carried out in time to the firm’s systems.
According to the Information Commissioner’s Office (ICO), Equifax doesn’t just have data on customers who’ve used its services, it also accrues information from the electoral roll, court record, and account data shared by banks, utility companies, and other organizations – leaving those who have never used the company’s services vulnerable to the attack also.
However, 657,423 UK customers had personal details – such as phone numbers and driving license details breached, while a sum of 15 million records of names and birth dates were also accessed, due to sloppy security practices.
The investigation jointly carried out by the ICO and the Financial Conduct Authority (FCA) concluded that the Mother company of Equifax was compromised and the UK arm of Equifax had failed to secure personal data and make sure the US company was protecting the data of its UK customers.
Also, that the customer data was not only kept longer than necessary but was left vulnerable to hackers due to multiple failures in IT systems and auditing.
The investigation further revealed that the US Department of Homeland Security had warned Equifax about susceptibilities in its systems in March 2017 before the hack, but that Equifax did not take necessary steps to address this.
Denham said the agency was determined to protect the data of UK citizens at all times. She also gave her opinion on the fine, which she noted was the “highest fine possible” due to the number of victims involved, the data at risk and failure of Equifax to adhere to its “own policies and controls as well as the law.”
She further added:
“Many of the people affected would not have been aware the company held their data; learning about the cyber-attack would have been unexpected and is likely to have caused particular distress. Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it.”
An Equifax spokesperson who spoke with the media said the company has cooperated with the ICO throughout the investigation but was “disappointed in the findings and the penalty.”
“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents, and it acknowledges the strengthened procedures which are now in effect. The criminal cyber attack against our U.S. parent company last year was a pivotal moment for our company. We apologize again to any consumers who were put at risk.”
Featured Image: Hillburn & Lein