Equifax hit with the UK's maximum penalty for data breach 2017 – TechCrunch



[ad_1]

Giant Credit Scoring Equifax The UK data protection agency has imposed the maximum possible sanctions for the massive data breach of last year.

Although the fine is only £ 500,000, the loss of customer data occurred when the UK's privacy regime was in place, rather than the new Data Protection Act. , introduced by the RGPD. 4% of a company's overall business figure for the most serious data crashes.

So, again, Equifax has managed to avoid the worst consequences of the 2017 breach, despite the hacking resulting from its own internal process failures after failing to patch a server known to be vulnerable for months. attack and drag data on 147 million consumers.

Personal information lost or compromised during the Equifax breach in 2017 included names and dates of birth, addresses, passwords, driver's license and financial details.

The UK's data protection regulator is involved in that 15 million data of British citizens have also been violated. And while piracy compromised Equifax's US systems, data from British citizens was being processed in the United States.

The UK's Information Commissioner's Office (ICO) today said that the UK's Equifax branch failed to take adequate measures to ensure that its US parents were protecting this data.

In reporting the outcome of its investigation, the ICO stated that Equifax had breached five of the eight data protection principles set out in the 1998 Data Protection Act, including the lack of protection of personal data; poor retention practices; and lack of legal basis for international transfers of data on British citizens.

"Equifax Ltd received the highest possible fine under the 1998 Act because of the number of victims, the type of data at risk, and because it has no excuse for not following its own policies and controls. that law, "said Information Commissioner Elizabeth Denham in a report. "We are committed to providing information to British citizens wherever it takes place."

"The loss of personal information, especially in the case of potential financial fraud, not only disrupts customers, it undermines consumer confidence in digital commerce. This is compounded when the company is a global company whose business is based on personal data, "she added.

The regulator's survey, conducted in conjunction with the UK's financial regulator, the Financial Conduct Authority, revealed multiple shortcomings within the benchmark agency.

The OIC found that the measures that should have been put in place to manage personal information were "inadequate and ineffective" and that there were also "significant problems" of data retention, system correction computer and audit procedures.

He reports that the US Department of Homeland Security warned Equifax Inc. of a critical vulnerability as early as March 2017, noting thateffective measures to address this vulnerability have not been taken, which means that a consumer portal has not been properly corrected. "

"Many people would not have known that the company held their data; To know more about the cyber-attack would have been unexpected and probably caused a particular distress, "added Denham, pointing out why the ICO should impose the maximum possible penalty for the violation.

The ICO also recently released Facebook with the same level of fines for allowing a third-party application to use user data from up to 87 million Facebook users to try to create voter targeting templates. , selling them as a political service. counsel involved in the US elections.

"Multinational data companies like Equifax need to understand what personal data they hold and take strong action to protect it," she continued. "Their boards of directors must ensure that controls and internal systems work effectively to meet legal requirements and customer expectations. Equifax Ltd showed a serious disregard for its customers and the personal information entrusted to them, and this led to the fine of today. "

Equifax responded with disappointment to the ICO's decision. In a statement responding to the ICO's decision, a spokesperson for the company said: "We received the monetary penalty notice from the Office of the Information Commissioner Wednesday afternoon and review the detailed points presented . Equifax has fully cooperated with the ICO throughout its investigation and we are disappointed with the findings and the sanction.

"As the OIC states in its report, Equifax has successfully implemented a wide range of measures to prevent the repetition of such criminal incidents and recognizes the strengthened procedures currently in place. The criminal cyber-attack on our American parent company last year was a crucial moment for our company. We still apologize to all consumers who have been endangered.

"Data security and the fight against criminal digital activity is an ongoing battle for all organizations that requires constant innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.

The company draws attention to a number of changes made in response to the incident to strengthen its policies and processes, and also highlights ongoing investments in infrastructure and governance procedures of the company. 39, business, including the hiring of additional IT staff. of his systems to hack attacks.

However, he concedes that the breach itself was the result of internal process failures, since a file containing historical information about consumers that should have been deleted was not.

And the key point here is that the ICO's decision is based on a careful examination of what happened and what led to the violation.

How has a company acted since a security crisis be taken into account, in the general framework, but close the door of the barn after the horse is launched will have only a lot of credit against the reasons properly secured in the first place. And as it should be, the purpose of data protection legislation is to encourage businesses to prioritize security, not to neglect it.

In the Equifax decision, the ICO writes: "The Commissioner also took into account her underlying purpose in imposing a financial penalty notice, namely to promote compliance with the DPA. [data protection act]. It considers that, given the nature, gravity and potential consequences of the violation committed in this case, that objective would not be adequately served by an unduly lenient punishment ".

[ad_2]
Source link