UK regulator fines Equifax £500,000 for failing to protect data of millions
20 Sep 2018

The United Kingdom’s Information Commissioner’s Office (ICO) has fined US-headquartered Equifax £500,000 after it failed to protect the details of up to 15 million UK citizens during a cyber attack.

The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.

The ICO’s probe, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access, the ICO said.

The investigation was carried out under the Data Protection Act 1998, rather than the current GDPR, as the failings occurred before stricter laws came into force in May of this year.

The fine issued is the maximum allowed under the previous legislation.

Elizabeth Denham, Information Commissioner said: “We are determined to look after UK citizens’ information wherever it is held.

“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

In a statement, Equifax said: “The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.

“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers.”

You can claim CPD minutes for reading this article, by signing up to our CPD Wallet

FREE CPD Wallet
Must Read

Elise Bean – The Inside Track – The US Senate’s Investigations into Financial Crime

Elise Bean joins Tom Devlin (from KYC360) in conversation to discuss her new book, highlights of her investigative career, and learning points for both banks and financial crime investigators arising from the PSI's work Read More

Financial crime: Court orders banks to open account for convicted fraudster

The Royal Court in Jersey has ruled that a trust for a convicted fraudster should be allowed to open a bank account on the Isle, despite being denied banking services in other jurisdictions. The case put before the Jersey court is linked to another infamous scam, unrelated to the trust… Read More