Despite receiving a £500,000 fine from the Information Commissioner’s Office (ICO) for failing to adequately protect the data of its customers, credit rating agency Equifax has got off lightly. However, the next company to breach European data protection laws will likely face far harsher treatment, experts have warned.
The ICO issued the fine, the highest possible amount that can be given under the old 1998 Data Protection Act, in response to a 2017 cyberattack that exposed the personal data of 150m of its customers around the world.
While the compromised systems were based in the United States, the UK body was able to fine Equifax as some 14.5m British customers had their data exposed.
A lucky escape
According to reports, the data breach has so far cost Equifax $440m. However, the cost could have been far higher had the breach occurred after the new General Data Protection Regulation laws came into effect in May.
“Equifax will no doubt be smarting from this regulatory action, but also counting themselves fortunate that GDPR did not already apply,” Jon Baines, data expert at Mishcon de Reya said.
GDPR allows fines of up to €20m or 4% of global annual turnover (whichever is higher). Given Equifax recorded turnover of $3.36bn in 2017, it could have potentially faced a $134m bill under the new regulations.
“If this breach had occurred after May 2018 it would have most likely been a different story and possibly the scapegoat so many companies are currently fearing not to be,” Jake Moore, security specialist at internet security company ESET said.
Of course, while the ICO fine is a small one given the scale of the cyberattack, Equifax will pay for its mistakes with more than money.
Past research has found that cyberattacks can severely damage trust between companies and their customers.
Equifax is already seeing the effects of that. In October last year the US Internal Revenue Service terminated a $7m contract with the company due to the attack.
“Typically when such companies are attacked, their customer trust is equally attacked making it difficult to bounce back naturally,” Moore said.
A wake-up call
This is a strong sign that the ICO is ready to pounce should companies fall foul of the new data protection laws. If businesses were unaware of the importance of complying with GDPR, this might be the wake-up call that they needed.
Simon Cuthbert, Head of International at security software company 8MAN, said:
“This should come as a warning to businesses to get their houses in order and the necessary security processes in place.
“It is not only critical that organisations have visibility over who has access to data and how they are using that access, but more importantly, ensuring access to that data is terminated when it is no longer required. The implementation of a least privilege policy could ensure access to data remains secure, manageable and minimises the risk of a data breach.”
“Equifax are incredibly fortunate this time around, but others won’t be,” Ofri Ben-Porat, CEO and co-founder of software company Pixoneye, said.
While it is difficult to see the positives, given the scale of the cyberattack and the amount of customers that were affected, Ben-Porat believes that some good could still come out of the Equifax breach.
“This should hopefully be a strong deterrent against inadequate security policies as companies should be making the personal data of customers their number one priority.
“Storing sensitive data in the cloud, doesn’t always guarantee its safety, we’ve seen this with a number of data breaches involving large companies in the past couple of weeks. Many companies and organisations have increased their use of cloud based services to store customer data, but many still have little visibility into how and where their critical business data is used.
“It’s no secret that maintaining complete control over business data is a significant challenge, but with customers personal data at stake, the security of that personal data should be a company’s number one concern.”