Equifax Gets Maximum U.K. Privacy Fine Over Cyberattack Lapses

(Bloomberg) -- Credit reporting company Equifax Inc. was slapped with a maximum 500,000 pound ($658,000) fine by the U.K.’s privacy watchdog for failing to protect the personal information of as many as 15 million British citizens during a cyberattack last year.

The Information Commissioner’s Office concluded a probe into the breach, during which personal data was stolen from some 146 million people worldwide, and found that the company’s measures to protect the data were “inadequate and ineffective.” Equifax’s U.K. unit had “failed to take appropriate steps to ensure” that its U.S. parent was protecting people’s personal data, the regulator said Thursday.

“The ICO’s probe, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorized access,” the regulator said in an emailed statement.

The fine, the maximum that the regulator could levy under old privacy rules, adds to Equifax’s woes. The Atlanta-based company has been subject to probes around the world since disclosing a year ago that a hack had exposed the data in one of the biggest cyberattacks in history. The breach slashed a third off the company’s share price in one week after hackers accessed the sensitive personal information by exploiting a previously identified software vulnerability between May and July 2017.

“The criminal cyberattack against our U.S. parent company last year was a pivotal moment for our company,” Equifax said in an emailed statement. “We apologize again to any consumers who were put at risk.”

Equifax said it has “successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.” The company “cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty,” it said.

Equifax violated five of the eight privacy principles created by the U.K.’s previous data protection law of 1998, including the failure to secure people’s data and a lack of a legal basis for international transfers of U.K. citizens’ data, the ICO said. The breach took place before new and much stricter EU rules took effect across the bloc in May that empower regulators to levy fines as high as 4 percent of a company’s global annual sales.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” ICO head Elizabeth Denham said in the statement. “This is compounded when the company is a global firm whose business relies on personal data.”

Equifax said it didn’t lose great numbers of clients after the breach put half the U.S. population’s sensitive personal information at risk, and congressional hearings have so far yielded no major changes to federal laws protecting data. The credit-reporting company’s revenue last quarter reached a record $877 million despite the hack.

©2018 Bloomberg L.P.