THE INFORMATION COMMISSIONER'S OFFICE (ICO) has fined Equifax £500,000 for its 2017 mega-breach that affected 15.2 million Brits.
The incident, which affected a whopping 146 million customers only, quickly caught the attention of the ICO, which last year announced that it - along with the Financial Conduct Authority (FCA) - would be investigating Equifax.
The ICO on Thursday ruled that Equifax's UK branch had "failed to take appropriate steps" to protect citizens' data, adding that the "multiple failures" at the credit reference agency led to personal information being retained for longer than necessary and vulnerable to unauthorised access.
"The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures," the watchdog said.
The data watchdog's investigation - which was carried out under the Data Protection Act 1998, rather than the current GDPR - also found that the US Department of Homeland Security had warned Equifax about a critical vulnerability as far back as March 2017.
"Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched," the ICO said.
At the time of the breach, Equifax said that 14.5 million of the exposed records, which dated from 2011 to 2016, did not contain information that put Brits at risk, but admitted that sensitive information affecting almost 700,000 customers was accessed, including email addresses, passwords, driving license numbers and phone numbers.
The ICO has investigated further, revealing that almost 20,000 leaked records included names, dates of birth, telephone numbers and driving licence numbers exposed, while 637,000 included names, dates of birth and telephone numbers.
Elizabeth Denham, Information Commissioner said: "The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
"This is compounded when the company is a global firm whose business relies on personal data.
"We are determined to look after UK citizens' information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law." µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks