Equifax fined £500,000 for failing to protect customers in data breach - how to protect your data online

20 September 2018

Credit ratings agency Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) after failing to protect the data of 15 million Britons during a cyber attack in 2017.

The personal information lost or compromised during the incident ranged from names and dates of birth to addresses, passwords, driving licence and financial details.

The ICO says the UK arm of Equifax failed to take appropriate steps to protect UK citizens’ data. It says personal information had been retained for longer than necessary and was vulnerable as a result.

The data breach happened between 13 May and 30 July 2017 in the US and affected 146 million customers globally.

The ICO’s investigation, carried out alongside the Financial Conduct Authority (FCA), revealed multiple failures at the credit reference agency.

It found that measures to protect personal information were inadequate and there were significant problems with data retention, IT system patching, and audit procedures.

The investigation also found that the US Department of Homeland Security had warned Equifax about a critical vulnerability as far back as March 2017.

Elizabeth Denham, information commissioner, says: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.

“We are determined to look after UK citizens’ information wherever it is held. Equifax showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”

An Equifax spokesperson responded to the fine: “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

“The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

How to protect yourself from cyber crime

Cyber crime is on the rise, with around two million online fraud incidents reported in 2017, according to data from the Public Accounts Committee. But don’t worry, there are plenty of steps you can take to protect yourself from fraudsters.

Set up a strong, separate password

Your first line of defence against cyber crime is to have a strong password.

The key to having a strong password is to have one you can remember easily but somebody else won’t be able to guess. The best way to do this is to start by using three random words because length gives complexity.

The strongest passwords also contain a mixture of capital and lower-case letters, numbers and symbols – so you can simply supplement these within your three random words, so long as the substitutions aren’t easy to guess. For extra security, make sure you use a separate password for all your different accounts. For more information, see How to create a password to give you peace of mind.

Install the latest software and app updates

Cyber criminals use weaknesses in software and apps to steal data. Software and app updates are designed to fix these weaknesses and installing them will keep your system secure.

It may sometimes be frustrating as it can take time, but always make sure you update your system. Setting your system to update automatically as soon as an update is released is recommended.

It is also a good idea to install anti-virus software on your laptop and any other personal devices and then keep it up-to-date.

Don’t click suspicious links

A lot of people are caught out by fraudsters without even realising it after clicking on malicious links or downloading an attachment.

Always be careful of opening a link in an email or text message and make sure you don’t ever enter your online banking details afterwards.

It is also sensible to make sure you don’t share your passcodes, PIN or online banking password with another person, not even bank staff.

Also, never download software or let anyone log on to your computer devices remotely during or after a cold call. 

Only download apps from reputable app stores

There are stringent tests that apps have to pass in order to appear on reputable app stores, particularly related to security.

If an app is only available through less legitimate means, then chances are it is nowhere near as secure and should be avoided.


In reply to by anonymous_stub (not verified)

Which is great but those of us affected don't see a penny of this. Instead they give out "free" access to their system for 2 years. Given it's my data I have free access to it under GDPR anyway

Add new comment