A year on from the disclosure of one of the world’s worst data breaches, the Equifax data breach that impacted 146 million customers globally, the UK’s Information Commissioners Office has fined the credit reporting agency the maximum penalty of £500,000 for failing to protect the personal data of its customers.

How the breach unfolded

While public disclosure of the Equifax breach did not transpire until September 2017, Equifax detected the unauthorised access on its systems in July 2017, some months after the cybercriminals first gained entry to the company’s systems.

Since it took Equifax a substantial amount of time to discover the breach, the cybercriminals had uninterrupted access to the organisation’s systems for many months.

It was a deliberate attack. The cybercriminals scouted Equifax’s publicly accessible systems to find a way in and were able to gain access by exploiting a vulnerability.

The cybercriminals began to syphon off the data in May 2017 and the attack continued for 76 days before it was detected and stopped. In that time the personal information of 146 million consumers was stolen, 15 million of which were citizens of the United Kingdom.

The personal data impacted globally includes names, addresses, birth dates, tax information, drivers licence details and financial details.

The ICO’s findings

Jointly, The ICO and the Financial Conduct Authority investigated the incident and found that Equifax breached five data protection principles of the Data Protection Act 1998.

Although the cyberattack occurred at Equifax’s US parent company, Equifax Ltd was responsible for ensuring the protection of its customers’ data. Equifax Inc. processed the personal data of the UK divisions customers on their behalf resulting in UK citizens’ personal data getting stolen.

Findings include:

  • Equifax failed to ensure that its US counterpart was protecting UK citizens’ personal information.
  • Equifax had poor data retention policies, and practices and personal information was kept unnecessarily and for too long.
  • Equifax had issues relating to its IT systems, patching and audit procedures.
  • Equifax lacked a legal basis for the international transfer of UK citizens’ data.
  • Equifax had been warned about a critical vulnerability in March 2017 and had failed to patch the fault that the cybercriminals went on to exploit.
  • Equifax’s security measures were inadequate and ineffective.

Elizabeth Denham, Information Commissioner, said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.”

She added, “This is compounded when the company is a global firm whose business relies on personal data.”