Equifax, the credit rating agency, has been fined £500,000 by the ICO, after a data breach left the personal information of 15 million Britons exposed.
Equifax is one of the big three credit rating agencies. They keep information on all of us, so organisations such as lenders and landlords can check to see if you are financially trustworthy. Equifax controls some of our most sensitive information and a year ago we learned cyber thieves stole the private information of millions of people all over the world. In the UK the information of 15 million people was stolen and in the US a staggering 145 million people were affected.
The type of information they stole is incredibly worrying: name, national insurance number, birth date, driver’s license and addresses; information that is permanent. Why should we care about this? Well, criminals can do a lot with that information. The worry is that this information can be sold on the black market and criminals can purchase it to set up credit cards in your name, they can take out loans and even open bank accounts.
It’s a huge problem, which Equifax didn’t seem to handle very well. It was later revealed that Equifax bosses knew about the breach in July 2017 and only announced the following September. In addition to this, there were multiple points where this hack could have been prevented, one of which was Equifax being warned by the US department of Homeland Security, in March 2017, that there was a critical vulnerability in their software.
To add to the apparent incompetence, after the attack was announced, Equifax told UK officials, “At this stage, it looks like no UK financial information has been compromised in this attack.” We now know this to be completely untrue. Following a joint investigation by the Information Commissioners Office and The Financial Conduct Authority, they found it had affected three groups in the following way:
19,993 UK data subjects had names, date of birth, telephone numbers and driving license numbers exposed.
637,430 UK data subjects had names, dates of birth and telephone numbers exposed.
Up to 15 million UK data subjects had names and dates of birth exposed.
The ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data. They added that multiple failures meant personal information had been kept longer than necessary and left people vulnerable.
Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead and the £500,000 is the highest possible under the law.
A spokesperson for Equifax said the firm was “ disappointed in the findings and the penalty. As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”