Equifax receives a £500,000 fine for its 2017 data breach. Equifax is a widely popular consumer credit reporting agency that had a major data breach last year. Apparently, there were a lot of UK residents whose data was leaked by the company, so the UK regulator fined the company with £500,000.
This is the maximum fine that’s allowed by the Data Protection act in the UK. This might seem a small amount for a company that’s worth around $16 billion. But it’s a sign that the UK and maybe even other countries are not taking data breaches lightly.
A similar fine was imposed on Facebook due to the massive Cambridge Analytica scandal, a problem that was quite similar to this, although at a much larger scale. Equifax had a data breach which ended with the exposure of around 145 million people all over the world between May and July 2017.
The information leaked included PII, credit card information, driver license details, social security numbers, addresses, as well as phone numbers, dates of birth and names. As you can see, it was a massive leak and something that lowered the company’s trust quite a bit. The situation appeared because the company didn’t patch an Apache Struts 2 vulnerability on time, even if patches were released by the company.
Is it possible for UK regulators to fine US companies?
The UK ICO agreed that the £500,000 amount is ok for this type of situation. The ICO states that even if this is an US company, the data of many UK citizens was leaked as well, in fact around 15 million people from that were based in the UK, so that’s an extremely high number of people with their data affected.
Around 19993 of them had their driving license numbers, phone, date of birth and name exposed. 637430 of those people had their phone numbers, date of birth and name exposed and 15 million people had only their dates of birth and names exposed. 15000 UK residents also had their addresses, password and username, credit card numbers, spending amounts and account recovery questions stolen as well. As you can see, the issue was severe and there was a need for someone to take action.
The breach was possible due to multiple Equifax failures
The aforementioned Apache Struts 2 vulnerability was only one of the many problems that the company had to deal with. Another thing to note is that the company kept the news of this breach hidden for around a month after they discovered it internally. 3 senior executives from Equifax were able to sell $2 worth of shares, even if the company denies this.
Now that we have GDPR, there are more stringent data protection regulations and the £500,000 amount is still quite low. Based on the GDPR rules, the fines would be a lot higher, up to 20 million euros or 4% of the global revenue.
Equifax stated that they are fully cooperating with the ICO, although they are disappointed in the penalty and the findings as well. They can appeal the penalty though, even if they didn’t do that until this point!