Atlanta-based consumer credit reporting agency Equifax has been issued a £500,000 ($660,000) fine by the Information Commissioner Office (ICO) for failing to protect the personal and financial data of 15 million customers in the 2017 data breach.
The Information Commissioner’s Office, which carried out the investigation, stated that Equifax had been warned about vulnerabilities in its systems by the US Department of Homeland Security in March 2017. However, Equifax failed to take proper steps to fix the vulnerabilities, according to the ICO.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham. “This is compounded when the company is a global firm whose business relies on personal data.”
The U.S. Government recently released a detailed report on how the Equifax hack happened, and the consequences of the incident that exposed the personal details of 145.5 million users, including Social Security numbers, credit card numbers, and driver’s license numbers. The report stated that the incident occurred because Equifax failed to segment its databases into smaller networks, allowing the attackers to get access to all of its customers’ data.
On July 29, 2017, Equifax’s security team observed suspicious network traffic associated with its U.S. online dispute portal web application and blocked the suspicious traffic that was identified. But the company waited until after the close of trading nearly six weeks later to disclose the breach to consumers and Equifax’s investors. After discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online. Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries. Equifax made a public disclosure of the incident on September 7, 2017, after hackers exfiltrated data for 76 days.
An Equifax spokesperson said the firm was “disappointed in the findings and the penalty. The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologize again to any consumers who were put at risk.”