The Information Commissioner’s Office (ICO) issued the credit checking agency Equifax Ltd with the maximum allowed £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017. The incident between May 13 and July 30, 2017 in the US, affected 146 million customers globally.
The ICO found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.
The ICO with fellow regulator the Financial Conduct Authority (FCA) found multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access.
The investigation was carried out under the Data Protection Act 1998, rather than the new general data protection regulation (GDPR), as the failings occurred before new Europe Union-wide rules came into force in May, which include far bigger fines allowed.
The ICO said that the company contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
Elizabeth Denham, Information Commissioner said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.
“Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress. Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations.”
Separately, Bupa Insurance Services Limited (Bupa) was fined £175,000 by the ICO, for failing to have effective security measures in place to protect customers’ personal information. Between January and March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.
The employee accessed the information via Bupa’s customer relationship management system, known as SWAN. The system holds customer records relating to 1.5 million people. The employee sent bulk data reports to his personal email account. The compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web.
ICO Director of Investigations, Steve Eckersley, said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it. Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
Bupa was alerted to the breach on June 16, 2017 by an external partner who spotted customer data for sale. Bupa and the ICO received 198 complaints about the incident. The employee was dismissed.
The watchdog pointed to what it called systemic failures in Bupa’s technical and organisational measures which also left 1.5 million records at risk for a long time.
