(qlmbusinessnews.com via telegraph.co.uk – – Thur, 20th Sept 2018) London, Uk – –
Equifax has been slapped with a £500,000 fine by Britain’s data watchdog for failing to protect 15m people whose personal details were stolen in a cyber-attack last year.
The Information Commissioner’s Office (ICO) issued the penalty after a cyber attack that hit Equifax in the US in May 2017, which affected 146m consumers globally.
Equifax is one of the world's three biggest credit agencies. Founded in 1899 and based in Atlanta, Georgia, it collects data on 800mn consumers and 88mn businesses worldwide.
The cyber attack between May 13 and July 30 last year came despite prior warning from the US government that the company's data was vulnerable. Hackers stole personal information including names, dates of birth, addresses, passwords, driving licence and financial details.
The ICO's investigation found the British arm of Equifax had failed to take appropriate steps to ensure that it was protecting the personal information held on UK customers.
The ICO probe found the US government had warned Equifax about a “critical vulnerability” in the company's cyber-security systems as recently as March 2017. However, the steps needed to rectify the problem were not taken.
The ICO investigation was carried out with help from with the Financial Conduct Authority.
The £500,000 fine is the maximum the ICO could issue at the time under the Data Protection Act 1998.
New rules introduced in May of this year under the General Data Protection Regulation (GDPR) allow the ICO to impose fines of up to £17m or 4 per cent of global turnover.
Elizabeth Denham, Information Commissioner said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.
“We are determined to look after UK citizens’ information wherever it is held. Equifax has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
By Joseph Archer