£500k fine for Equifax 2017 data breach

The fine was imposed by the British regulatory authorities

Equifax, the Atlanta-based consumer credit reporting agency received a fine of £500k from the UK’s privacy control agency for massive data breach that the company suffered last year, an incident that exposed personal and financial data of hundreds of millions of its clients, as reported by specialists in ethical hacking from the International Institute of Cyber Security.

This is the highest fine imposed by the United Kingdom Data Protection Act, which dates back to 1998, although it might seem a little significant figure for a company worth £16 billion.

In July this year, the UK Data Protection Agency had already issued the maximum fine allowed by this law to Facebook, due to the Cambridge Analytica scandal, saying that the social media giant could not prevent its citizens’ data to fall into the wrong hands.

The Equifax data breach

As experts in ethical hacking reported at the time, Equifax suffered a massive data violation last year between mid-May and late July, exposing highly sensitive data of up to 145 million people from around the world. The stolen information included the names of the victims, birth dates, phone numbers, driver’s license details, addresses and social security numbers, as well as payment card information.

Data theft occurred because the company did not respond adequately to a critical vulnerability of Apache Struts 2 (CVE-2017-5638), whose revisions had already been published by ethical hacking and cybersecurity companies.

The UK Information Commissioner’s Office (ICO), which launched a joint investigation into the incident with the Financial Conduct Authority, issued the largest monetary penalty that the country’s Data Protection Act allows, £500k, equivalent to about $660k USD.

ICO said that although cyberattack compromised Equifax systems in the United States, the company did not take appropriate measures to protect the personal information of its 15 million customers in the UK. Likewise, ICO’s research revealed multiple failures in the company, which resulted in:

  • Information exposure of 19 993 UK customers (including names, dates of birth, phone numbers and drivers license numbers)
  • Deletion of 27 000 email accounts linked to Equifax
  • Stealing passwords, personal information, and payment card information from 15 000 Equifax customers in United Kingdom

ICO said Equifax was aware of a critical vulnerability in Apache Struts 2 by a security announcement from the U.S. Department of Homeland Security (DHS) in March 2017, but the company did not take the appropriate steps to solve the problem.

It was also known that the company kept the event hidden until a month after it was discovered, giving three senior executives of Equifax enough time to sell their shares for a value of almost $2M USD, although the company denied such claims.

Equifax has already received the official notice of the fine, and is able to appeal the ICO’s decision.