Don’t let Equifax fool you. Though they may have been issued the maximum penalty that the UK’s data protection agency can hit a company with for a data breach scandal, they’re getting off easy considering that fine is only £500,000. The UK recently passed a tough data protection law that “allows for maximum penalties of as much as 4% of a company’s global turnover for the most serious data failures”, but when Equifax left the data of 147 million users vulnerable to hackers, a much softer policy was in place, according to TechCrunch.
The personal data stolen from Equifax included names, dates-of-birth, addresses, passwords, and other critical information. Though the system holding these details was functioning out of the US, over 15 million UK citizens were affected by the data breach as their information was processed in the US. The UK’s Information Commissioner’s Office (ICO) claims that Equifax’s UK branch failed to uphold five of eight of the Data Protection Act 1998’s data protection principles.
“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” said information commissioner Elizabeth Denham in a statement. “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”
According to the ICO, Equifax’s practice of managing personal data was “inadequate and ineffective” and their efforts at data retention, IT system patching, and audit procedures left much to be desired. The US Department of Homeland Security had warned Equifax of these vulnerabilities in March 2017, but “sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched.”
“Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it,” explained Denham. “Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”