ICO issues maximum fine for Equifax pre-GDPR data breach

Those of you who attended the various Oben presentations on GDPR, and the equivalent Jersey Law, given by Advocate Simon Franckel and Alex Ruddy earlier this year, may recall that we discussed the serious data breach suffered by Equifax Inc. – the parent company of the UK-registered Equifax Limited. The security measures of Equifax – such as they were – were lamentable. Personal data of up to 15 million people in the UK alone were compromised, in addition to 146 million individuals in the US.

On 19 September 2018 the UK’s ICO issued a Monetary Penalty Notice imposing a penalty of £500,000 against Equifax Limited. The fine was under the old regime, pre-GDPR, given the timing of the breach. The seriousness of the incident is reflected in the fact that the fine is the maximum which the ICO had the power to impose pre-GDPR. Under the GDPR, the potential fine, should the events occur today in the UK, could be up to a maximum of either €20 million or 4% of annual global turnover, whichever is greater.

It is easy to imagine that in similar circumstances the fine would have been enormous, when one considers the details of the breach.

A security expert revealed that he exposed Equifax’s cybersecurity vulnerabilities to the company long before the breach and that his advice was ignored.

“It should’ve been fixed the moment it was found. It would have taken them five minutes, they could’ve just taken the site down,” the researcher said. “In this case it was just ‘Please take this site down, make it not public.’ That’s all they needed to do.”

In a Senate Committee hearing, the one-time CEO of Equifax, Richard Smith, revealed that the Company deliberately chose not to encrypt its data.

As a result, all you had to do was put in a search term and get millions of results, instantly — in cleartext, through a web app. The personal data of all of Equifax’s customers could be downloaded in 10 minutes.

There were in fact many exacerbating factors – for example the notification of the breach was late – the Commissioner found that the breach was not reported until two months after the event.

What the Monetary Penalty Notice does not mention is the allegation that two Equifax executives — Chief Financial Officer John Gamble  and Joseph Loughran, Equifax’s president for U.S. information solutions — sold $2m worth of  stocks in August 2017 – after the hack was discovered but before it was disclosed, according to multiple news reports.  Rodolfo Ploder, president of workforce solutions, reportedly sold stock a day later. They claim not to have known about the breach, and a review conducted internally has since cleared them of any wrongdoing.

There is a right of appeal to the First-Tier Tribunal against both the imposition and level of the fine.

  • 20.01.2023 Law Regulatory
    FAQs on the extension to the scope of Jersey’s AML/CFT/CPF regime

    On the 18 January the Government of Jersey approved the enabling legislation that will extend the scope of Jersey´s AML/CFT/CPF regime to include a wide range of previously exempted persons. …

  • 11.01.2023 Regulatory
    Isle of Man ObenView 1: FSA announces AML/CFT thematic for TCSP sector
  • 05.01.2023 Regulatory
    ObenView 11: AML/CFT/CPF Handbook changes