The Information Commissioner’s Office (ICO) has slapped Equifax Ltd with the biggest monetary penalty it could, £500,000, following the compromise of personal data belonging to 15 million UK citizens.
Last year the company suffered a major cyber-security incident that saw 146 million of its customers affected globally.
Hackers exploited a vulnerability in the Apache Struts 2 web application framework that Equifax Inc. used in an online customer disputes portal for its US users.
The ICO’s fine notice notes that: “The vulnerability, CVE-2017-5638, was disclosed to Equifax Inc. on 8 March 2017 by the US Department of Homeland Security Computer Emergency Readiness Team(“US CERT”).”
However, while the company passed the information around internally the actual problem itself was never patched. This resulted in hackers stepping through the unpatched vulnerability between May 13 and July 30 2017 and grabbing the data belonging to 146 million Equifax customers.
The data incident resulted in 15 million UK citizens having their private data stolen by threat actors. The ICO found that within that dataset 14,961 UK individuals had the following data compromised: name, address, DOB, username & password, secret question and answer. None of this data was in an encrypted format.
This group of individuals also had their credit card numbers stolen, but this information was in an obscured format. All this information was contained in a file share that was accessible internally by Equifax employees and was ironically meant for the companies Fraud Investigation team in the UK.
The Information Commissioner Elizabeth Denham commented: “We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
“Many of the people affected would not have been aware the company held their data; learning about the cyber-attack would have been unexpected and is likely to have caused particular distress.”
Due to the fact that the cyber incident occurred before the EU General Data Protection Regulation (GDPR) came into law, Equifax was subject to the UK’s 1998 data legislation. Had it happened after GDPR the fine issued by the ICO could have be significantly higher, as Ms Denham would have had the power to issue a fine of up to 17 million or four percent of Equifax’s global turnover. As their reported revenue for 2017 was over three billion, a 4 percent fine would have amounted to 120 million.
Computer Business Review contact Equifax for a response to the fine and a spokesperson replied saying that they: “Have received the Monetary Penalty Notice from the Information Commissioner’s Office (ICO) on Wednesday afternoon and are considering the detailed points made.”
“Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.”
“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”