Credit rating agency Equifax has received the maximum possible fine of £500,000 for a data breach affecting up to 15m Brits.
UK data protection regulator the Information Commissioner’s Office (ICO) said the penalty reflected its opinion that the US giant “has no excuse” for failing to follow its own internal policies and the law, with its own mistakes responsible for the data leak.
It broke five of eight data protection rules set out in the 1998 Data Protection Act when it failed to fix a flaw in its own infrastructure, despite a software update that would have fixed it being available.
ICO investigators found significant problems with data retention, IT system patching, and audit procedures.
It still failed to fix the issue after the Department of Homeland Security warned it about the vulnerability in March 2017, leading to 145m people’s personal details being stolen by hackers bteween May and July last year.
Information Commissioner Elizabeth Denham said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.
“We are determined to look after UK citizens’ information wherever it is held. Equifax has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
Were the data breach to have happened under new UK legislation, the highest fine Equifax could have incurred would be up to £17m.
An Equifax UK spokesperson said the firm was “disappointed” by the fine, saying it has since implemented measures to prevent such an incident happening again.
“The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk,” they added.
“Data security and combating criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”