Equifax, a credit rating agency, has been imposed with the maximum possible fine amounting to £500,000 for a data breach that affected approximately 15 million Brits.
The Information Commissioner’s Office (ICO), the data protection regulator of the United Kingdom, said that the penalty showed its opinion that the US giant “has no excuse” for not being able to follow its own internal policies and the law. It said that the agency’s own mistakes were responsible for the data leak.
Equifax broke five of the eight data protection rules that were set out in the 1998 Data Protection Act after it failed to correct a flaw in its own infrastructure, despite the availability of a software update that would have fixed it.
The investigators of the ICO discovered some significant problems with the company’sIT system patching, audit procedures, and data retention.
It was still not able to fix the issue following the warning of the Department of Homeland Security about the vulnerability in March of last year, resulting in a hack that affected the personal details of approximately 145m people between the period of May and July 2017.
Elizabeth Denham, the Information Commissioner, stated: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.”
She added: “This is compounded when the company is a global firm whose business relies on personal data.”
She continued: “We are determined to look after UK citizens’ information wherever it is held. Equifax has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
If the said data breach happened the new legislation of the United Kingdom, the highest fine that Equifax could have incurred would likely be up to £17m.
A spokesperson for Equifax UK said that the firm was “disappointed” by the fine. He said that the company has since implemented some measures to prevent such an incident from happening again.
They added: “The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.
“Data security and combating criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”