UK Regulator Fines Equifax £500,000 Over 2017 Data Breach
Atlanta-based consumer credit reporting agency Equifax has been issued a £500,000 fine by the UK's privacy watchdog for its last year's massive data breach that exposed personal and financial data of hundreds of millions of its customers.
Yes, £500,000—that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company.
In July this year, the UK's data protection watchdog issued the maximum allowed fine of £500,000 on Facebook over the Cambridge Analytica scandal, saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands
Why U.K. Has Fined a US Company?
The UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now issued its largest possible monetary penalty under the country's Data Protection Act for the massive data breach—£500,000, which equals to around $665,000.
The ICO said that although the cyber attack compromised Equifax systems in the United States, the company "failed to take appropriate steps" to protect the personal information of its 15 million UK customers.
The ICO investigation revealed "multiple failures" at the company like keeping users' personal information longer than necessary, which resulted in:
19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.
637,430 UK customers had their names, dates of birth and telephone numbers exposed.
Up to 15 million UK customers had names and dates of birth exposed.
Some 27,000 Britishers also had their Equifax account email addresses swiped.
15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.
Breach Was Result of Multiple Failures at Equifax
The ICO said that Equifax had also been warned about a critical Apache Struts 2 vulnerability in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue.
Initially, it was also reported that the company kept news of the breach hidden for a month after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims.
Since the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of £500,000 imposed under the UK's old Data Protection Act 1998 is still lesser.
The penalty could have been much larger had it fallen under GDPR, wherein a company could face a maximum fine of 20 million euros or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach.
In response to the ICO’s penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is "disappointed in the findings and the penalty."
Equifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.
Industry: cyber security news
- IDAM Business Analyst
- Up to £65,000 Base
A Business Analyst with strong exposure within the Identity & Access or Privileged Access Management space is required by a leading consulting firm. You will have a strong technical understanding of at least one of the following subjects; Privileged Access/ Identity management, Identity Governance and Administration. Vendor experience may include; CyberArk, Sailpoint or Ping Identity. Any of the following vendors could also be advantageous; Oracle’s Identity Manager/ Access Manager or One Identity. The role is to be based in either London or Manchester, with 3-4 days of travel required in a week, that may flex based on the influx of work. This person will have excellent client facing skills, as you will be the primary point of contact between the clientele, and the Engineering team. So prior client facing experience is a must. If this sounds like you, give me a call today on; 0208 663 4030 or email Thomas.Childs@DCLSearch.com Ref: TC7516
- ISO27001 Information Security Consultant
- Up to £60,000
Information Security Consultant with ISO27001 audit and advisory experience is needed for a client facing opportunity with a Cyber Security company in London. Experience with ISO27001 is essential. Activities of the role will include, but not be limited to providing advice to clients, Gap analysis, Risk assessment, analysis, ISO27001 Audits. Experience taking a client through to iso 27001 certification is highly desirable. This Cybersecurity consultancy, who are dedicated to improving and investing in their client's businesses and employees careers, are looking for a security consultant due to expansion. All the training and development will be provided to help them specialise into the PCI industry / Security advisory industry. Ideal certifications ISO27001 Lead Auditor, ISO 27001 Lead implementer, PCI ISA. Aspiring PCI QSA. Other certifications such as CISSP, CISM or CISA are beneficial to have but not required. The ability to SC Clearance is essential. MUST be UK based and realistically able to commute to London. Structured career path, technical training, diverse and interesting clients available. (ISO70001 Lead Auditor, ISO 27001 Lead implementer, PCI ISA. Aspiring PCI QSA, ISO27001 Information Security Consultant) Contact me on firstname.lastname@example.org or 07884666351 or 02086634030 Ref: CH7514
- Google Cloud Data Engineer
- Up to £650 Per Day
Google Cloud Data Engineer London Up to £650 Per Day Duration: 3 months (Potential to extend) We are currently working with a leading Google Cloud partner who are currently looking for a Google Cloud Data Engineer in London. The Google Cloud Data Engineer will be responsible for a new, on-site project (start to finish) designing and implementing a data cataloguing platform using Google Cloud. Current Experience Required Google Cloud Data Analytics (Data Engineering, Data Mining, Data Cataloguing etc.) Cloud PUB / SUB Ref: PG7512
- Professional Services Security Engineer
- United Kingdom
Professional Services Security Engineer with current checkpoint experience is needed for the UK focused client facing implementation/migration, configuration position. The role will be utilising the latest versions of Checkpoint, so someone accredited with either CCSA or CCSE, on at least version R80 is ideal. The Professional Services Security Engineer must have current technical implementation experience using Checkpoint, however, I would look at someone with strong firewalling experience around other vendors such as Palo Alto and Fortinet. Being a multi-vendor professional services business, there is scope for this person to receive training and experience within other vendors. This is a UK wide role, the company in question has 2 offices across the UK, however, there is scope for this person to be home based when not on client site. Vendor training and exposure actively promoted.