Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) following the major data breach that hit the company last year.
According to the ICO, Equifax “failed to take appropriate steps” to protect the data of UK citizens, and that’s why it was fined. It also said there were ‘multiple failures’, and that Equifax kept user data longer than it needed to, consequently putting it at risk.
The company received the maximum fine possible fine from the ICO, and as the breach occurred before GDPR kicked in, the investigation took place under, and was lead by, the UK’s Data Protection Act from 1998.
"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce," said information commissioner Elizabeth Denham.
"This is compounded when the company is a global firm whose business relies on personal data."
An Equifax spokesperson said the firm was "disappointed in the findings and the penalty".
"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
"The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk."
The investigation unveiled that almost 20,000 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed, more than 600,000 had names, dates of birth and telephone numbers exposed, and up to 15 million have had names and birthdates exposed.
Image Credit: Balefire / Shutterstock