According to the ICO, Equifax UK's parent company in the US -- the one infiltrated by cyberattackers -- processed data on its behalf. It has come to the conclusion that the company's UK division failed to make sure that its American counterpart was protecting UK citizens' information properly. Authorities have also found "significant problems with [the company's] data retention, IT system patching and audit procedures." Further, they've discovered that the US Department of Homeland Security warned Equifax about a critical vulnerability back in March 2017, and it didn't take steps to patch the flaw the hackers ultimately exploited.
The agencies' investigators divided the affected subjects in the country into different categories: the ones that were most affected (19,993 people) had their names, birthdays, phone numbers and driver's licenses stolen. Meanwhile, the first three types of information were exposed for 637,430 subjects. In all, 15 million UK citizens had their names and birthdates exposed, but those unfortunate enough to fall under the first type are clearly the most vulnerable to identity theft.
While £500,000 is chump change for a company like Equifax despite all its financial setbacks since the breach came to light, that's the largest fine authorities can issue, seeing the event happened before GDPR was implemented. Information Commissioner Elizabeth Denham explained:
"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.
We are determined to look after UK citizens' information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law."
Update (09/20/18 8:54AM ET): An Equifax spokesperson has reached out with the company's official statement:
"We have received the Monetary Penalty Notice from the Information Commissioner's Office (ICO) on Wednesday afternoon and are considering the detailed points made. Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.
As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk. Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority."