Updated The UK's privacy watchdog wants to fine Equifax £500,000 ($660,000) after hackers siphoned off 15 million Brits' info from the credit-score agency's databases.
Or in other words, three pence for each of the affected British citizens.
The fine could have been much larger had it fallen under Europe's GDPR. However, the security breach predates the hardline regulations, which kicked in this year, leaving the UK Information Commissioner's Office (ICO) to hand out its largest possible monetary penalty under the nation's old Data Protection Act: half a million quid.
American biz Equifax was ransacked in 2017 when miscreants exploited an Apache Struts 2 security vulnerability for which a patch existed yet had not been installed by the biz's IT staff. As a result, the cyber-intruders made off with sensitive personal information on roughly 150 million Americans, 15 million Brits, and others.
Out of that 15 million, 20,000 records included people's names, dates of birth, telephone numbers, and driving license numbers, 637,000 records included names, dates of birth, and telephone numbers, and the rest: names and dates of birth.
Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLIONREAD MORE
Also, some 27,000 Brits also had their Equifax account email addresses swiped, and 15,000 UK individuals had their names, addresses, dates of birth, account usernames and plaintext passwords, account recovery secret question and answer, obscured credit card numbers, and spending amounts stolen by hackers.
That last lot's information was stored in a document called the "standard daily fraud" report, which was built from production data, and held in a file share accessible by sysadmins and other IT staff. Thus, it was accessible to the hackers. Ironically, the file was crafted on a daily basis for Equifax's fraud investigations team to use for probing allegations of credit card scams.
Criminals broke into Equifax's systems between May 13 and July 20, 2017, even though the biz was warned in March that year by US Homeland Security that its IT infrastructure was insecure. Uncle Sam literally told the company that its Struts 2 framework had a remotely exploitable security hole (CVE-2017-6538) in it.
Due to poor internal processes and auditing, though, the software wasn't patched, allowing crooks to tiptoe through the hole and into the US-based network. We're told Homeland Security's warning was passed through the ranks in Equifax, however its sysadmins did not realize its public-facing customer dispute-handling portal running the Struts 2 framework needed updating, and thus it was left unpatched.
Miscreants were poking around Equifax's insecure systems as early as March 10, prior to the May incursion. The company had installed equipment to inspect network traffic for suspicious activity – such as scumbags siphoning off 150 million customer records – however, IT staff failed for months to renew a digital certificate for the device, meaning encrypted connections were not inspected. Thus, the crooks were able to smuggle out the data over an encrypted channel without raising any alarms.
On July 29, with the certificate renewed, the US side of Equifax realized it had been hacked, and in late August worked out British folks were hit, too. Its IT staff had to replay, on test installations, the database queries run by the hackers in order to figure out what had been extracted, which took time to set up.
On September 7, that year, the US side told its UK-based Equifax Ltd the bad news, and a day later, that subsidiary admitted to the ICO that it had been pwned – initially suggesting fewer than 400,000 Brits were affected, then nudging that figure to 1.5 million before finally upgrading it with an extra zero.
The ICO probed the computer security breach in parallel with the UK's Financial Conduct Authority, we're told, before settling on handing out the maximum penalty possible.
Elizabeth Denham, Blighty's Information Commissioner, said on Thursday:
The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
This is compounded when the company is a global firm whose business relies on personal data.
We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.
Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress.
Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.
Equifax can appeal the penalty, and if it does cough up the cash, it will be funneled into the UK government's public coffers. We note that, to date, no fine has been levied against the agency in its home nation. Equifax made a $587m profit in 2017 from revenues of $3.4bn. As such, one of its executives could perhaps put the $660,000 fine on expenses.
The company had no comment to offer at time of publication. ®
Updated to add
Equifax has sent us the following statement:
Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.
As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.