UK Information Commissioner’s office fines Equifax half a million pounds for security breach in 2017

October 1, 2018 |

First the breach, then the disastrous publicity and just when things seem to be getting better the enforcement action.  That is the way of it with UK and US privacy breaches.  Equifax’s travails have followed this path.

In 2017 Equifax suffered a data breach through a cyber attack.  The impact was, even by modern standards, massive with personal information of 146 million people being compromised.  That involved 200,000 credit card numbers and expiration dates and government issued documentation such as drivers’ licences and passports. A total of 15 million UK citizen’s personal information was compromised, giving the Commissioner jurisdiction.

The cost of the breach has been enormous, running to $275 million as at March this year.

The Equifax data breach is a “how not to” store information, set up proper data security and respond to the data breach.  As the UK Information Commissioner found, Equifax breached 5 out of 8 data protection principles. There were problems with poor password protections (such as storing passwords in plaintext), retaining data of individuals not required, poor IT patching.  Equifax said the data breach occurred on 29 July but kept that information secret for a month and a half.  The hacker(s) gained access through a security hole that had been identified and notified to Equifax in March 2017.  Equifax failed to patch the system to fix the defect.

The Information Commissioner took action and imposed the maximum fine  under a monetary penalty notice available to her, £500,000.  The Information Commissioner’s media release provides:

The Information Commissioner’s Office (ICO) issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017.

The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.

The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.

The ICO’s probe, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access.

The investigation was carried out under the Data Protection Act 1998, rather than the current GDPR, as the failings occurred before stricter laws came into force in May of this year. Today’s fine is the maximum allowed under the previous legislation.

The company contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.  

Elizabeth Denham, Information Commissioner said:

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.

“This is compounded when the company is a global firm whose business relies on personal data.

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures. Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched.

The personal information lost or compromised during the incident ranged from names and dates of birth to addresses, passwords, driving licence and financial details.

Ms Denham added:

“Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress.

“Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”

The Monetary Penalty Notice lists a litany of poor practices including:

  • Upon the migration of EIV from the US to the  UK  it was no longer necessary to keep any of the EIV dataset, including  in particular  the compromised UK data, on the US system.· Despite this, the. relevant  EIV dataset was not deleted in full from the  US environment  and/or the migration process was inadequate.
  • In respect of the GCS dataset stored on the US system, Equifax Ltd did not appear to be sufficiently aware of the purpose for which it was being processed until after the breach.
  • Equifax Ltd failed to adequately follow up or check to ensure that all relevant UK data had been removed from the US environment or to have in place an adequate process to ensure this was done.
  • Equifax Ltd did not undertake an adequate risk assessment(s) of the security arrangements before transferring data to it .
  • The Data Processing Agreement 2014 between Equifax Ltd (as a data controller) and Equifax Inc (as a data processor) was inadequate.
  • Despite having clear contractual permission to do so, Equifax Ltd did not carry out appropriate audits of Equifax Inc and failed to carry out adequate checks on Equifax Inc to ensure it complied with the relevant security requirements.
  • Equifax Ltd failed to ensure adequate security measures were in place a including:
    • Not adequately encrypting all personal data held on its system;
    • Not adequately protecting user passwords;
    • Failing to address known IT vulnerabilities, including those that had been identified and reported at a senior level, by promptly identifying and applying appropriate patches to all vulnerable systems/ parts of the system;Not having fully up-to-date software;
    • Failing to undertake sufficient and/or sufficiently regular system scans, and/or using inadequate scanning tools;
    • Failing to ensure appropriate network segregation;
    • Permitting accounts to have more permissions than needed;
    • Storing service account passwords in plaintext within files and allowing such files to be accessed by staff;
  • Failing to ensure that other technical measures provided appropriate protection (particularly as regards exploitation of the Apache Struts vulnerability), due to an expired certificate in an SSL decryptor which prevented traffic being properly checked by its Intrusion Prevention System.
  • Equifax Ltd’s processes for keeping track of personal data were deficient in relation to both the EIV dataset and GSC dataset, allowing personal data to remain on a system based overseas without having an identified lawful purpose for its (continued) processing.
  • Communications between Equifax Ltd and Equifax Inc were inadequate, as evidenced by the delay of over a month between Equifax Inc becoming aware of the data breach and Equifax Ltd being informed of it.

Leave a Reply

Verified by MonsterInsights