Equifax narrowly escapes hefty GDPR fine for 2017’s hack

Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) for cyber security failures that led to hackers accessing personal information for up to 15 million UK citizens.

A total of 146 million customers were affected by the breach, which happened between May 13th and July 30th 2017 in the US.

Although the information systems compromised were situated in the US, an ICO investigation found that Equifax was responsible for the personal information of its UK customers. This is because the company’s UK arm failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.

The ICO’s probe also uncovered multiple failures at the credit reference agency that led to personal information being retained for longer than necessary and vulnerable to unauthorised access.

The £500,000 fine issued to Equifax could’ve been much heftier because the investigation was carried out under the Data Protection Act 1998, rather than the much stricter GDPR laws that took effect in May. As such, the fine was the maximum allowed under that legislation.

Information commissioner Elizabeth Denham said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.

“This is compounded when the company is a global firm whose business relies on personal data.”