Credit agency Equifax has been handed a £500,000 fine by the Information Commissioner’s Office for failing to protect the data of 15 million UK customers.
The company had previously announced it had suffered a cyber attack between May and July 2017 where the data of 146 million customers globally had been stolen. Data included names, dates of birth, passwords, driving licences and financial details.
Equifax was fined under the Data Protection Act, rather than the GDPR, as the breach took place before the new regulation came into force in May this year. Maximum fines under the new regime could be up to €20 million, or 4% of global turnover.
The ICO said the firm had broken five of the eight principles of the DPA, including failure to secure personal data, poor retention practices and a lack of legal basis for international transfers of UK citizens’ data.
‘No excuse’ for Equifax
Elizabeth Denham, the UK information commissioner, said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.
“Equifax has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
The company has published information for those in the UK affected by the breach here.