Equifax Faces £500,000 Fine for 2017 Data Breach
Atlanta-based consumer credit reporting agency Equifax has been fined £500,000 by the UK Information Commissioner’s Office (ICO) for a significant data breach that occurred in 2017. This breach compromised the personal and financial information of hundreds of millions of customers worldwide, including approximately 15 million individuals in the UK alone. The penalty represents the maximum allowed under the UK’s Data Protection Act 1998, although, for a company with a market capitalization of about $16 billion, it may be seen as insufficient.
The breach unfolded between mid-May and late July 2017, during which sensitive data such as names, social security numbers, birth dates, and addresses were exposed. The breach stemmed from Equifax’s failure to patch a critical vulnerability in Apache Struts 2, identified as CVE-2017-5638. Although patches for this vulnerability were available, Equifax did not implement them in a timely manner, thereby facilitating the cyber attack.
The investigations carried out by the ICO and the Financial Conduct Authority revealed that Equifax’s management of personal data was subpar, resulting in multiple failures. The inquiry indicated the company retained personal information longer than necessary, exposing a significant number of UK customers’ data to potential misuse. Specifically, nearly 20,000 customers had their complete details compromised, and over 15,000 faced extensive exposure of personal identifiers along with sensitive account information.
The ICO highlighted that despite the attack being carried out within the United States, Equifax’s responsibilities extended to its UK customers. The iguidance stressed that the company failed to take appropriate measures to secure the personal data of its British clientele. The investigation also uncovered that the U.S. Department of Homeland Security had warned Equifax of the Apache Struts flaw well before the breach but that the company did not act on this warning.
Tech professionals will recognize several MITRE ATT&CK tactics that may have been employed during the incident. Initial access likely occurred through the unpatched Apache Struts vulnerability, while persistence, privilege escalation, and credential access could all have been tactics exploited during the breach, allowing attackers to navigate the system and extract data.
Had this breach occurred after the implementation of the EU’s General Data Protection Regulation (GDPR), the financial repercussions could have been far more severe. Under GDPR, fines can reach up to €20 million or 4 percent of a company’s annual global revenue, whichever is higher.
In response to the ICO’s ruling, Equifax expressed disappointment but confirmed its cooperation with the investigation. The company has received the Monetary Penalty Notice and retains the option to appeal the fine. As organizations increasingly operate across borders, this incident underscores the essential nature of robust data protection practices and the dire ramifications of neglect in maintaining cybersecurity defenses.
Business owners should take note of this incident as a significant case study in the importance of vigilance regarding data security. Keeping current with patch management and proactively addressing known vulnerabilities remains critical in mitigating risks associated with cyber threats.
