The ICO have issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017.
The ICO’s investigation revealed that Equifax Ltd migrated personal data relating to UK residents from the US server used by its parent undertaking Equifax Inc however the UK residents’ personal data continued to be retained on the US servers when it was no longer necessary to do so. Equifax also failed to maintain up to date software and permitted system accounts to have more permissions than was needed.
The factors that were taken into account by the ICO in issuing the monetary penalty was:
- The number of data subjects affected, namely 15 million UK residents;
- The nature of the personal data compromised (this included driving licence and financial details) which makes the affected data subjects vulnerable to fraud; and
- The systemic inadequacies that lead to the data security breach.
The data protection breach occurred prior to the implementation of the GDPR and was therefore investigated under the Data Protection Act 1998.
Key considerations
- When migrating personal data from one system to another do not retain personal data on the previous system if not required. Not only does this uphold the data protection rights of data subjects but it also minimises the risk of a data security breach;
- Do not store system passwords and other confidential data in plaintext form but use cryptography measures such as encryption or tokenisation; and
- Conduct an adequate risk assessment of potential data processors’ security arrangements prior to engagement and audit these periodically on an ongoing basis.
