Credit reference agency Equifax fined £500,000 by the ICO for security breach. The maximum allowed under the previous legislation (DPA1998/pre-GDPR).
Equifax Inc. is a global company with information on over 800 million data subjects around the world across more than 88 million businesses. Most people assume that Equifax is a recent company that found its feet in the digital age however, this company is far more mature than most people are aware, being founded in 1899 in the US. It’s listed on the NYSE, has an annual revenue of $3.1 billion and employees in 14 countries, including the UK.
In September 2017 Bloomberg reported a data hack had compromised personal data held by the company. The ICO has clarified that the breach took place “between 13 May and 30 July 2017 in the US [and affected] 146 million customers globally [including]… up to 15 million UK citizens”. The personal data compromised in this hack included names, dates of birth, addresses and even passwords, driving license and financial details.
The FT states that the fine is for “failing to address known IT problems and unlawfully storing British data in the US”. After digging further it’s clear that the intrusion was via their identity verification tool provided by Apache Struts and happened after Equifax was made aware of a vulnerability and failed to apply a patch. The ICO, working with the FCA, also found that “personal information [was] being retained for longer than necessary”. The ICO stated “[Equifax] has no excuse for failing to adhere to its own policies and controls as well as the law”. It took Equifax 5 months to disclose the breach and the company also refused help from the US department of homeland security.
What were/are the outcomes?
Equifax suffered hugely as a company with its stock price plummeting from $142 to $93 in September last year. This morning the value of their stock has been hit further (although far less pronounced) dropping from $138 to $134. As well as their board forfeiting bonuses a number of key individuals have also been replaced, including their CISO and CEO. Their CEO, Richard Smith retired rather quickly in circumstances many have compared to the Enron scandal, leaving him with an eye-watering $90 million payday.
Reuters reported back in June that the company had avoided “fines in deal with U.S. states over [a] data breach”. However, the ICO continued to conduct its own investigation although, due to the date of the breach, the investigation was conducted under the Data Protection Act 1998, rather than the current GDPR which limits the possible fine to £500,000. This is exactly the amount issued today by the ICO. You can read the full report from the ICO HERE and the rather un-interesting response from Equifax HERE.
This marks the biggest fine ever issued by the ICO (the ICO also recently stated its ‘intent’ to fine Facebook £500,000) and whilst it may not be a fine big enough to really rock a company with a revenue of $3.1bn it will severely undermine consumers trust and no doubt have a huge impact on the business that Equifax conducts.
In response to the hack, Equifax offered a measly free credit monitoring service for one year to those affected and waived fees (temporarily) for individuals who decided to freeze their credit records in an attempt to avoid identity theft.
Why were they given the maximum penalty?
I suspect that the ICO decided a large fine was appropriate given a number of factors, including a continued failure to patch known vulnerabilities, not having a legal basis for international transfers of personal data and an extremely late notification of the breach. Specifically, the ICO stated “The company contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data… Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine”. In addition I have submitted a FOI request to the ICO in order to obtain more details about the situation and why they believed such a large fine was appropriate.
(edit: 21 Sept 18) The ICO also cite the number of victims and the type of data involved in the breach as aggravating factors leading to such a large fine.
Ultimately personal data is the lifeblood of Equifax, if it is unable to properly safeguard it, what future does this company have? One thing is for sure, their data breach cover will not sell too well over the coming months.
If you’ve found this article helpful at all, please do give us a thumbs up and share our content. You can also find more blog posts on privacy at MapSterling.com/blog
Links and references:
Equifax response: https://www.equifax.co.uk/about-equifax/press-releases/en_gb
FT on today’s fine: https://www.ft.com/content/007b257c-bc28-11e8-8274-55b72926558f
Business News on Equifax avoiding a fine in the US: https://www.reuters.com/article/us-equifax-states-agreement/equifax-avoids-fines-in-deal-with-u-s-states-over-data-breach-idUSKBN1JN2YH
Buiness Insider on the source of the attack: https://www.businessinsider.com/how-did-equifax-get-hacked-2017-9/?IR=T
FOI request to ICO for further information: https://www.whatdotheyknow.com/request/report_and_calculation_of_fine_a
Wired on Equifax’s security overhaul: https://www.wired.com/story/equifax-security-overhaul-year-after-breach/
Equifax Protect data breach cover: https://www.equifax.co.uk/data-breach/react.html