ICO issues maximum fine for Equifax breach

Equifax has been fined the maximum £500,000 penalty for its breach last year which exposed data belonging to 146 million people around the world, including 15 million in the UK.

The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.

Multiple failures at the credit reference agency led to personal information being retained for longer than necessary and vulnerable to unauthorised access, the ICO found.

The company contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.

The penalty imposed represents the maximum allowed under the previous legislation. The investigation was carried out under the Data Protection Act 1998, as the failings occurred before the rather more strict GDPR came into force in May of this year.

    Share Story:

Recent Stories


Your people and the pandemic: Are you doing enough?
Employee health, well-being and security have always been a vital part of risk management, and as organisations seek ways to ensure a smooth, successful and sustainable return to operations amid the evolving environment, careful consideration has to be given to all these areas, and quickly. Published August 2020

Responding to COVID-19: A safe and secure return to work
Learn more from the experts that worked on the recovery of the Diamond Princess. Published July 2020