The largest fine to date of £500,000 has been charged by the Information Commissioner’s Office (ICO) to Equifax for its data breach. The loss of personal data has affected 15 million Britons. The cyber-attack was carried out in 2017 which means it does not come under the more recent General Data Protection Regulation (GDPR). However, having demonstrated a number of failings, the business received the highest possible fine under the UK’s Data Protection Act 1998.

Working with the Financial Conduct Authority in its investigation of the breach, the ICO reported that:

  • The number of Britons affected by the breach was originally reported as 400,000 but this increased to nearly 700,000, and then finally to 15 million;
  • 19,993 UK data subjects had names, DOB, telephone numbers and driving licence numbers exposed;
  • 637,430 UK data subjects had names, DOB and telephone numbers exposed;
  • Equifax had not taken appropriate steps in response to the warning about a critical vulnerability in its systems it had received early in 2017.

A lack of clear understanding as to the number of people affected along with some of the records being kept longer than necessary were significant aspects that resulted in the scale of the fine. This latest news demonstrates the ICO’s commitment to upholding data protection regulations. What is evident, whether it be pre or post the 25 May 2018, is that the level of fine imposed on businesses will be based not only on the breach, but also on the controls, policies and data protection culture in place. Businesses need to demonstrate a regular review and improvement process to protect and maintain the currency of their data and comply with the data protection regulations.

Paul Gribbon, Practice Lead at 2|SEC comments,

“Whilst this fine was applied pre-GDPR, this is a strong indicator of the implications for businesses that have ignored or played down the new regulations. Maintaining information security is a continuous process not a one-off project. Companies need to recognise this in their business processes and implement a programme to stay on top of this regulation and the overall security of their business.”

If you would like more information about information security or data protection, or if you are concerned about privacy in your own organisation, you can contact Paul Gribbon directly on 020 7877 0060 or email paul.gribbon@2-sec.com.