Equifax fined maximum amount under DP Act 1998 for security breach

The ICO has issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017.

Information Commissioner Elizabeth Denham said: “Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to [today’s] fine.”

The fine is the maximum available under the 1998 DP Act, which was the legislation at the time of the contravention, and also the first maximum fine issued under the previous legislation. The ICO says that given the size of the company, and the resources available to it, this type of security breach should not have happened.

Equifax has said it has cooperated fully with the ICO throughout its investigation, and is disappointed with the penalty.

"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect," Equifax says in a statement.

The Financial Conduct Authority has carried out its own separate investigation. An FCA spokesperson commented: "The FCA and the ICO have worked well together. Our investigation continues as we are looking at a broader range of issues and subjects. Consistent with normal policy, the FCA will not otherwise discuss details of its ongoing investigations."

The ICO and the FCA have separate but overlapping mandates, but it is not altogether clear which is the most appropriate body to investigate and enforce. The FCA and ICO have an established Memorandum of Understanding. A letter from FCA to the Treasury Select Committee at the House of Commons in 2017 said: "As we have different regulatory remits and enforcement options open to us, we would always seek to ensure that the authority with the most applicable regulatory powers leads on that area of exploration or action. This is an approach that would also apply to any potential formal investigatory action."

See the Monetary Penalty Notice.