Equifax Slapped with $658,000 Fine for Privacy Lapses After UK Cyber Attack

By | September 20, 2018

Credit reporting company Equifax Inc. was slapped with a maximum 500,000 pound ($658,000) fine by the U.K.’s privacy watchdog for failing to protect the personal information of as many as 15 million British citizens during a cyber attack on its systems last year.

The Information Commissioner’s Office concluded a probe into the breach, during which personal data was stolen from some 146 million people worldwide, and found that the company’s measures to protect the data were “inadequate and ineffective.” Equifax’s U.K. unit had “failed to take appropriate steps to ensure” that its U.S. parent was protecting people’s personal data, the regulator said Thursday.

“The ICO’s probe, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorized access,” the regulator said in an emailed statement.

The fine, the maximum that the regulator could levy under old privacy rules, adds to Equifax’s woes. The Atlanta-based company has been subject to probes around the world since disclosing a year ago that a hack had exposed the data in one of the biggest cyber attacks in history. The breach slashed a third off the company’s share price in one week after hackers accessed the sensitive personal information by exploiting a previously identified software vulnerability between May and July 2017.

The company violated five of the eight privacy principles created by the U.K.’s previous data protection law of 1998, including the failure to secure people’s data and a lack of a legal basis for international transfers of U.K. citizens’ data, the ICO said. The breach took place before new and much stricter EU rules took effect across the bloc in May that empower regulators to levy fines as high as 4 percent of a company’s global annual sales.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” ICO head Elizabeth Denham said in the statement. “This is compounded when the company is a global firm whose business relies on personal data.”

Equifax said it didn’t lose great numbers of clients after the breach put half the U.S. population’s sensitive personal information at risk, and congressional hearings have so far yielded no major changes to federal laws protecting data. The credit-reporting company’s revenue last quarter reached a record $877 million despite the hack.

Was this article valuable?

Here are more articles you may enjoy.