INSUBCONTINENT EXCLUSIVE:
Credit rating giant Equifax has been issued with the maximum possible penalty by the UK data protection agency for last year massive data
breach.
Albeit, the fine is only £500,000 because the loss of customer data occurred when the UK prior privacy regime was in force —
rather than the tough new data protection law, brought in via the EU GDPR, which allows for maximum penalties of as much as 4% of a company
global turnover for the most serious data failures.
So, again,Equifax has managed to dodge worse consequencesover the 2017 breach, despite
the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months —
thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers.
Personal information that was lost or compromised in
the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.
The UK data
protection regulator is involved because up to 15 million UK citizens& data was also breached in the attack
And while the hack compromised Equifax US systems, the UK citizens& data was being processed in the US.
The UK Information Commissioner
Office (ICO) said today that the UK arm of Equifax failed to take adequate steps to ensure its US parents was protecting this
data.
Reporting the result of its investigation, the ICO said Equifax contravened five out of eight data protection principles of the Data
Protection Act 1998 — including, failure to secure personal data; poor retention practices; and lack of legal basis for international
transfers of UK citizens& data.
Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of
victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the
law,&said information commissioner Elizabeth Denham in a statement
&We are determined to look after UK citizens& information wherever it is held.
The loss of personal information, particularly where there is
the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce
This is compounded when the company is a global firm whose business relies on personal data,& she added.
The regulator investigation,
carried out in parallel with the UK financial regulator, the Financial Conduct Authority, revealed multiple failures at the credit reference
agency.
The ICO says it found thatmeasures that should have been in place to manage personal information were &inadequate and ineffective&,
and there were also &significant problems& with data retention, IT system patching, and audit procedures.
It flags the fact that the US
Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017, noting that &sufficient
steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched&.
Many of the people
affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to
have caused particular distress,& added Denham, emphasizing the reasons for the ICO to issue the maximum possible penalty for the
breach.
The ICO also recently issued Facebook with the same level of finefor allowing user data on up to 87 million Facebook users to be
scraped by a third party app which used it to try to build voter targeting models, selling this as a service to a political consultancy
involved in US elections.
Multinational data companies like Equifax must understand what personal data they hold and take robust steps to
protect it,& she continued
&Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers& expectations
Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today
fine.
Equifax has responded with disappointment to the ICO decision
In a statement responding to the ICO ruling, a company spokesperson said: &We have received the Monetary Penalty Notice from the Information
Commissioner Office (ICO) on Wednesday afternoon and are considering the detailed points made
Equifaxhas cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.
As the ICO
makes clear in its report,Equifaxhas successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents
and it acknowledges the strengthened procedures which are now in effect
The criminal cyberattack against our US parent company last year was a pivotal moment for our company
We apologise again to any consumers who were put at risk.
Data security and combatting criminal digital activity is an ongoing battle for
all organisations that requires continued innovation and attention
We have acted and continue to act to make things right for consumers
They will always be our priority.
The company points to a number of changes it says it has made in response to the incident to strengthen
its policies and processes, and also highlights ongoing investments in infrastructure and corporate governance procedures, including hiring
additional IT staff, which are intended to improve the resilience of its systems to hack attacks.
However it does concede that the breach
itself was the result of internal process failings, given that a file containing historical consumer information which should have been
deleted was not.
And the key point here is that the ICO decision is based on scrutinising exactly what happened that led to the breach
occurring.
How a company has acted since a security crisis will be taken into consideration, as part of the overall picture, but having shut
the barn door after the horse has bolted is only going to get so much credit vs the reasons for the barn door not being properly secured in
And that as it should be given the point of data protection legislation is to encourage companies to prioritize security, not overlook
it.
In the Equifaxdecision the ICO writes: &The Commissioner has also taken into account her underlying objective in imposing a monetary
penalty notice, namely to promote compliance with the DPA [data protection act]
She considers that, given the nature, seriousness and potential consequences of the contravention arising in this case, that objective would
not be adequately served by an unduly lenient penalty.
