You might think Equifax UK is paying for its parent’s sins, but the Information Commissioner’s Office (ICO) has shed light on why the British unit is being penalised for last year’s cyber incident across the pond.
The massive data breach suffered by the credit reference agency – officially known in the US as Equifax Inc, and as Equifax Ltd in the UK – between May 13 and July 30 in 2017, while it involved the information systems in the US, compromised the personal information of around 15 million UK customers. This led to British authority ICO slapping Equifax Ltd with a £500,000 fine under section 55A of the Data Protection Act 1998.
“The Commissioner finds that the UK data was controlled by Equifax Ltd and was processed by Equifax Ltd’s parent company and data processor, Equifax Inc,” said ICO in the monetary penalty notice seen by Insurance Business. “In respect of the UK data, Equifax Ltd had failed to take appropriate technical and organisational measures against unauthorised and unlawful processing of that data.
“The Commissioner also finds that in respect of certain of the UK data, it had been retained by Equifax Inc in the US for longer than was necessary for the purpose(s) for which it was transferred there.”
The British unit has been supplying Equifax Identity Verifier (EIV) in the UK since 2011. According to ICO, the product was initially hosted in the US as EIV was already operational in that market at the time. Equifax Ltd moved the product to be hosted in the UK in 2016, but some UK data stored on the US system was not deleted when migrating EIV from the US to the UK.
“The Commissioner considers that the process for migrating this data to the UK, and its subsequent deletion in the US, was insufficient and/or not adequately effective,” said the authority. “The EIV dataset contained up to 15 million individual records containing personal data of UK data subjects, and was among the data compromised in the data breach.”
ICO added that Equifax Ltd subsequently acknowledged that another set of UK data was also being processed in the US. Within that dataset, data relating to 27,047 UK individuals had also been compromised in the cyber incident.
The authority stressed that Equifax Ltd was responsible for the personal information of its customers in the UK, and that it failed to take appropriate steps to ensure that its US parent, which was processing the data on its behalf, was protecting the information.