ICO issues maximum fine for Equifax pre-GDPR data breach
Those of you who attended the various Oben presentations on GDPR, and the equivalent Jersey Law, given by Advocate Simon Franckel and Alex Ruddy earlier this year, may recall that we discussed the serious data breach suffered by Equifax Inc. – the parent company of the UK-registered Equifax Limited. The security measures of Equifax – such as they were – were lamentable. Personal data of up to 15 million people in the UK alone were compromised, in addition to 146 million individuals in the US.
On 19 September 2018 the UK’s ICO issued a Monetary Penalty Notice imposing a penalty of £500,000 against Equifax Limited. The fine was under the old regime, pre-GDPR, given the timing of the breach. The seriousness of the incident is reflected in the fact that the fine is the maximum which the ICO had the power to impose pre-GDPR. Under the GDPR, the potential fine, should the events occur today in the UK, could be up to a maximum of either €20 million or 4% of annual global turnover, whichever is greater.
It is easy to imagine that in similar circumstances the fine would have been enormous, when one considers the details of the breach.
A security expert revealed that he exposed Equifax’s cybersecurity vulnerabilities to the company long before the breach and that his advice was ignored.
“It should’ve been fixed the moment it was found. It would have taken them five minutes, they could’ve just taken the site down,” the researcher said. “In this case it was just ‘Please take this site down, make it not public.’ That’s all they needed to do.”
In a Senate Committee hearing, the one-time CEO of Equifax, Richard Smith, revealed that the Company deliberately chose not to encrypt its data.
As a result, all you had to do was put in a search term and get millions of results, instantly — in cleartext, through a web app. The personal data of all of Equifax’s customers could be downloaded in 10 minutes.
There were in fact many exacerbating factors – for example the notification of the breach was late – the Commissioner found that the breach was not reported until two months after the event.
What the Monetary Penalty Notice does not mention is the allegation that two Equifax executives — Chief Financial Officer John Gamble and Joseph Loughran, Equifax’s president for U.S. information solutions — sold $2m worth of stocks in August 2017 – after the hack was discovered but before it was disclosed, according to multiple news reports. Rodolfo Ploder, president of workforce solutions, reportedly sold stock a day later. They claim not to have known about the breach, and a review conducted internally has since cleared them of any wrongdoing.
There is a right of appeal to the First-Tier Tribunal against both the imposition and level of the fine.