“Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.”
These were the words of an Equifax Ltd spokesperson, in a statement sent to Insurance Business following our report on the £500,000 fine handed down by the Information Commissioner’s Office (ICO). The spokesperson confirmed that the British company had received the monetary penalty notice, adding that it is considering the detailed points made by the authority.
“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect,” said the spokesperson.
“The criminal cyberattack against our US parent company (Equifax Inc) last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”
Saying they “have acted and continue to act to make things right for consumers,” the firm also outlined the actions taken following the data breach. These include investing £23 million in the UK business to improve security controls, IT infrastructure, and processes; hiring 120 additional IT professionals this year; and undergoing six independent reviews of Equifax Ltd’s security programme to gain certification to ISO27001.
The compromised data involved historical consumer information, which the credit reference agency admitted should have been deleted but was not. It has since reviewed its processes to ensure the company is only holding personal data relevant to current operations.