The Equifax data breach hit 147 million citizens. Now, Equifax is facing a £500,000 in the UK because of it.
We hear a lot about data breaches. It often occurs on a seemingly weekly basis. Sometimes, things really ramp up as these types of breaches happen on a daily basis at times. Of course, we don’t hear about much in the way of consequences for large companies losing personal information. So, it’s not really hard for some to build up this image of all this personal information floating around on the dark web while companies just shrug and say “oops” before the story goes away.
Of course, few people would argue that the Equifax breach wasn’t significant. It’s quite difficult to ignore a data breach that saw personal information of 147 million people wind up in the wrong hands. This is especially so when there aren’t that many people out there that sign their name on a dotted line explicitly saying to Equifax that they can use their personal information. So, it is little wonder why the story made major headlines last year.
Compounding the problem here is that the initial disclosure did not actually offer accurate information about the initial breach. The story extended into March of this year when additional information surfaced that the breach is worse than reported. That, of course, is a report over top of the February report which already stated that the breach is worse than reported. So, these follow-up stories easily kept the story in the headlines.
As if that wasn’t enough, all this was over top of an executive reportedly making the controversial decision to not immediately report the breach to authorities. Instead, according to accusations, the executive in question sold Equifax before disclosing the breach. That, of course, gave the public reason to be angry at the company. Subsequently, Equifax investigated itself and found no evidence of wrongdoing which didn’t necessarily boost public relations with the company.
So, word that the company did actually get fined by UK regulators is a bit of a good news, bad news scenario. The good news is that they did face a fine at all. The bad news is that it is merely £500,000 which many say is a drop in the bucket for the company. While that sounds like the company got off light, Tech Crunch points out that this is actually the maximum fine that could be levied against the company:
Credit rating giant Equifax has been issued with the maximum possible penalty by the UK’s data protection agency for last year’s massive data breach.
Albeit, the fine is only £500,000 because the loss of customer data occurred when the UK’s prior privacy regime was in force — rather than the tough new data protection law, brought in via the EU’s GDPR, which allows for maximum penalties of as much as 4% of a company’s global turnover for the most serious data failures.
So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months — thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers.
Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.
Authorities say that Equifax contravened five out of eight data protection principles of the Data Protection Act 1998. Of course, if you’re scratching your head as to why that was used instead of Europe’s now famous GDPR laws didn’t come into force until June of this year, long after the data breach took place. So, had this breach happened after June of this year, then the fine probably would have been much more significant.
So, while it seems like Equifax is once again getting off with a wrap on the wrist, there is a silver lining in all of this. If another breach like this happens again anywhere, the potential fines could be much more significant. Equifax seemingly got lucky here because of the timing of it all.
At this point, it is a very safe bet that this won’t be the last breach a company suffers. All we can do is hope that breaches of this magnitude are exceedingly rare.
Drew Wilson on Twitter: @icecube85 and Google+.