Credit Rating Agency fined £500k by ICO

Equifax fined over its Business practices

One of the Leading UK Credit Referencing Agencies, Equifax, has been hit with a whopping £500,000 fine following its failure to protect the personal data of up to 15 million UK individuals.

Equifax were targeted by a cyber attack between 13 May and 30 July 2017 and it is said that 146m people were affected on a global scale.

The ICO investigation concluded that whilst the information systems in the US were compromised, in the UK Equifax Ltd are responsible for the personal information of its customers. The investigation found that the UK Division of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.

The ICO’s probe, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access.

The investigation was carried out under the Data Protection Act 1998, rather than the current GDPR, as the failings occurred before stricter laws came into force in May of this year. Today’s fine is the maximum allowed under the previous legislation.

The company contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.

Elizabeth Denham, Information Commissioner said: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”


This site uses Akismet to reduce spam. Learn how your comment data is processed.