View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 20, 2018updated 02 Apr 2019 8:08am

Equifax Dodges GDPR Bullet as ICO Fines it £500,000 Via 1998 Data Act

"Many of the people affected would not have been aware the company held their data"

By CBR Staff Writer

The Information Commissioner’s Office (ICO) has slapped Equifax Ltd with the biggest monetary penalty it could, £500,000, following the compromise of personal data belonging to 15 million UK citizens.

Last year the company suffered a major cyber-security incident that saw 146 million of its customers affected globally.

Hackers exploited a vulnerability in the Apache Struts 2 web application framework that Equifax Inc. used in an online customer disputes portal for its US users.

The ICO’s fine notice notes that: “The vulnerability, CVE-2017-5638, was disclosed to Equifax Inc. on 8 March 2017 by the US Department of Homeland Security Computer Emergency Readiness Team(“US CERT”).”

However, while the company passed the information around internally the actual problem itself was never patched. This resulted in hackers stepping through the unpatched vulnerability between May 13 and July 30 2017 and grabbing the data belonging to 146 million Equifax customers.

See Also: Equifax profits plummet in wake of mega data breach

The data incident resulted in 15 million UK citizens having their private data stolen by threat actors. The ICO found that within that dataset 14,961 UK individuals had the following data compromised: name, address, DOB, username & password, secret question and answer. None of this data was in an encrypted format.

This group of individuals also had their credit card numbers stolen, but this information was in an obscured format. All this information was contained in a file share that was accessible internally by Equifax employees and was ironically meant for the companies Fraud Investigation team in the UK.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Equifax Fine

The Information Commissioner Elizabeth Denham commented: “We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

“Many of the people affected would not have been aware the company held their data; learning about the cyber-attack would have been unexpected and is likely to have caused particular distress.”

Due to the fact that the cyber incident occurred before the EU General Data Protection Regulation (GDPR) came into law, Equifax was subject to the UK’s 1998 data legislation. Had it happened after GDPR the fine issued by the ICO could have be significantly higher, as Ms Denham would have had the power to issue a fine of up to 17 million or four percent of Equifax’s global turnover.  As their reported revenue for 2017 was over three billion, a 4 percent fine would have amounted to 120 million.

Computer Business Review contact Equifax for a response to the fine and a spokesperson replied saying that they: “Have received the Monetary Penalty Notice from the Information Commissioner’s Office (ICO) on Wednesday afternoon and are considering the detailed points made.”

“Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.”

“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.