20 Sep 2018
The United Kingdom’s Information Commissioner’s Office (ICO) has fined US-headquartered Equifax £500,000 after it failed to protect the details of up to 15 million UK citizens during a cyber attack.
The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.
The ICO’s probe, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access, the ICO said.
The investigation was carried out under the Data Protection Act 1998, rather than the current GDPR, as the failings occurred before stricter laws came into force in May of this year.
The fine issued is the maximum allowed under the previous legislation.
Elizabeth Denham, Information Commissioner said: “We are determined to look after UK citizens’ information wherever it is held.
“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
In a statement, Equifax said: “The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.
“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers.”
Advance your CPD minutes for reading this article, by signing up and using the CPD WalletFREE CPD Wallet