Equifax Hit With Maximum UK Privacy Fine After Mega-Breach'Multiple Failures' Cited as Watchdog Levies Maximum Possible Pre-GDPR Fine
Credit bureau Equifax has been hit with the maximum possible fine under U.K. law for "multiple failures" that contributed to its massive 2017 data breach, including its failure to act on a critical vulnerability alert issued by the U.S. Department of Homeland Security.
The Information Commissioner's Office, which is the U.K.'s data protection authority and enforces the country's privacy laws, announced the £500,000 ($660,000) fine on Thursday. Following an investigation into the breach - carried out in parallel with the U.K.'s Financial Conduct Authority - the ICO cited Equifax "for failing to protect the personal information of up to 15 million U.K. citizens during a cyberattack in 2017."
An investigation carried out by the ICO found that Equifax violated more than half of the country's applicable data protection principles.
In one particularly egregious example, the credit bureau was storing personal information, including plaintext passwords, in a testing environment "for the purposes of fraud prevention and password analysis," the ICO says. The company also failed to obtain users' consent for doing so, telling the ICO this would have created a security risk.
"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce," says U.K. Information Commissioner Elizabeth Denham. "This is compounded when the company is a global firm whose business relies on personal data."
Denham notes that U.K. privacy laws require any organization that stores U.K. individuals' personal details to properly safeguard that data, no matter where in the world it might be stored.
"Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law," she says.
GDPR Did Not Apply
The ICO says that because the Equifax breach occurred in 2017 - from May 13 to July 30 - it did not fall under the EU's General Data Protection Regulation, which went into full effect on May 25. Instead, it was subject to the U.K.'s 1998 Data Privacy Act.
For breaches that have happened or lasted until May 25 onwards, however, organizations handling U.K. individuals' personal data must comply with GDPR as well as the U.K.'s Data Protection Act 2018, which includes wider requirements, including additional law enforcement and security provisions.
"Under past and current law, the ICO can take action to change the behavior of organizations and individuals that collect, use and keep personal information," the ICO says. "This includes criminal prosecution, non-criminal enforcement and audit."
Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($12 million) or 2 percent of annual global revenue (see GDPR Effect: Data Protection Complaints Spike).
Breached: Equifax Identity Verifier Dataset
The ICO says two data sets at Equifax that contained U.K. data subjects' information were breached, and noted that much of this data would have been "useful to scammers and fraudsters."
The first data set, involving the Equifax Identity Verifier service, exposed:
- 19,953 individuals' name, date of birth, telephone number and driving license number;
- 637,430 individuals' name, date of birth and telephone number;
- 15 million individuals' name and date of birth.
The ICO notes in a 32-page monetary penalty notice (PDF) that while this U.K. data was initially hosted in the U.S., starting in 2011, in 2016 Equifax moved the EIV product to the U.K. "At this point all U.K. data ... should have been removed from the U.S. environment or, at a minimum, a process by which this was to be undertaken should have been fully established and promptly initiated," the ICO says. "However, some U.K. data stored on the U.S. system was not deleted when migrating the product from the U.S. to the U.K."
The ICO said this failure constituted a violation of U.K. privacy law.
Breached: Global Consumer Services Dataset
The second set of breached data - involving Equifax's Global Consumer Services dataset - exposed:
- 27,047 individuals' email address used to register their Equifax account;
- 14,961 individuals' name, address, date of birth, username, plaintext password, plaintext secret question and answer, obscured credit card number and some payment amounts.
The ICO says that with its GCS dataset, Equifax was failing to follow its own cryptographic standards, which required that all passwords be stored in "encrypted, hashed, masked, tokenized" or another approved form.
In one case, ICO notes that plaintext passwords for the GCS dataset were being stored in a file that could be accessed by multiple users, "including system administrators and middleware technicians," solely for testing purposes.
Five Data Protection Principles Violated
All told, the ICO says that Equifax violated five of the eight U.K. data protection principles in force at the time of the breach:
- Article 1: Personal information must be fairly and lawfully processed;
- Article 2: Personal information must be processed for limited purposes;
- Article 5: Personal information must not be kept for longer than is necessary;
- Article 7: Personal information must be secure;
- Article 8: Personal information must not be transferred to other countries without adequate protection.
A recently released report on the Equifax breach from the U.S. Government Accountability Office, titled "Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach," says five key factors contributed to the breach (see Postmortem: Multiple Failures Behind the Equifax Breach).
The GAO report noted that Equifax failed to patch an Apache Struts 2 application portal it was running until more than four months after a critical patch - and a warning from US-CERT to install the patch immediately - was issued. The GAO report says Equifax only discovered the unpatched system thanks to a network security tool that was designed to scan encrypted traffic for signs of malicious activity. But Equifax had failed to renew a digital certificate required for the tool to function. Once it did so, the SSL decryption tool helped flag attackers' data exfiltration, using encrypted data, and led back to the Apache Struts 2 implementation, the GAO's report said.
The ICO's report flags not only the patch failure but also the digital certificate one.
"The certificate expired in January 2016 and was not fixed until July 2017," the ICO's report says. "Equifax has provided no adequate reason why this expired certificate was not detected prior to the data breach or why it went undetected for this amount of time."
At last count, Equifax says the breach compromised not only 15.2 million U.K. individuals' personal details, but also personally identifying information for at least 145.5 million U.S. consumers as well as for 8,000 Canadian consumers.