Credit rating agency Equifax has been fined £500,000 by the UK regulator for failing to protect 15 million Britons whose personal details were stolen in a data breach last year.
A cyber attack hit Equifax in the US between May 13 and July 30 last year, exposing the records of 146 million people worldwide, mainly in the US. Personal details that were stolen included names, dates of birth, telephone numbers and driving licence numbers.
Britain’s Information Commissioner's Office (ICO), which issued the fine, said Equifax’s UK branch had “failed to take appropriate steps" to protect citizens' data. The ICO said “multiple failures" meant personal information had been kept longer than necessary and left vulnerable.
Equifax had initially said fewer than 400,000 Britons had their data exposed in the breach. However, the company later updated the figure to nearly 700,000 and in October it said a further 14.5mln records were affected by the breach.
READ: Equifax confirms more than 15mln UK customer records hacked in last month’s massive cyber attack
ICO says Equifax failed to act on US government warning
Ahead of the hack, the US government had warned Equifax in March 2017 that its systems were vulnerable.
The ICO, which teamed up with the Financial Conduct Authority to investigate the cyber attack, said the company did not take the appropriate steps to fix the vulnerability.
"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce," said information commissioner Elizabeth Denham.
"This is compounded when the company is a global firm whose business relies on personal data."
Equifax apologises to customers
Equifax said it was "disappointed" in ICO's findings and the penalty.
A spokesperson for the firm said: "As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
"The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk."