back to article Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers

The UK's privacy watchdog wants to fine Equifax £500,000 ($660,000) after hackers siphoned off 15 million Brits' info from the credit-score agency's databases. Or in other words, three pence for each of the affected British citizens. The fine could have been much larger had it fallen under Europe's GDPR. However, the security …

  1. This post has been deleted by its author

    1. streaky
      Facepalm

      Re: GDPR can't Fix this

      What on earth are you on about.

    2. Anonymous Coward
      Anonymous Coward

      Re: GDPR can't Fix this

      From the Bloomberg article you linked to:

      "convicted the ringleader of the effort to rig the Libor index, initiated criminal proceedings against Barclays Plc and its former chief executive officer for actions in the 2008 financial crisis"'

      I saw an interesting bit of code named:"Barclays Corporate brand safety" in a websites source that had numerous keywords in it. Some of the usual words that could get someone on a "watch list" and some that were just possible "trigger" words that could be considered not "politically correct" depending on their usage and context.

      But one of the "trigger" words that caught my attention in that list was: "Libor".

      (Protecting that "corporate brand" I suppose.)

      1. Yet Another Anonymous coward Silver badge

        Re: GDPR can't Fix this

        Would GDPR fines apply in this case?

        It wasn't that they were deliberately selling customer information - they got hacked.

        We don't fine banks when they get robbed (ok. we don't fine them when they deliberately mislead and rob customers either but that's a different story)

        They were obviously incompetent, but imagine - if you get hacked because of a zero-day exploit in Windows should you get fined 4% of your turnover, or should Microsoft be fined? If your AWS bucket is hacked does the Eu get 4% of Amazon book sales?

        But if you aren't responsible when your cloud provider gets hacked - what stop Equifax setting up "Equifax data processing Europe Inc", a subcontractor with no assets.

        1. streaky

          Re: GDPR can't Fix this

          Would GDPR fines apply in this case?

          It wasn't that they were deliberately selling customer information - they got hacked.

          Yes.

        2. plrndl
          Unhappy

          Re: GDPR can't Fix this

          If you're using Windows and other MS software in a business environment where you have access to confidential data, you deserve everything you get.

  2. This post has been deleted by its author

    1. Snow Wombat
      Facepalm

      Re: 30 quid per victim?

      If you're Aussie, then they are already slurping up your data, due to recent law changes.

      1. John Robson Silver badge

        Re: 30 quid per victim?

        15 Million victims, £500k fine

        That's not £30 per victim - it's thruppence.

        1. Anonymous Coward
          Happy

          Re: 30 quid per victim?

          15 Million victims, £500k fine

          That's not £30 per victim - it's thruppence.

          And a massive 0.1% of profits. That'll teach 'em not to mess with the ICO.

          With the supercharging of these sort of fines post GDPR, I imagine there was a big sigh of relief in the executive board room that the hack didn't happen later than it did.

          The corollary is that we'll now see a small industry of trying to backdate hacks. "they hacked into our system years ago and were still using those credentials, so last week's hack was really years old", "The dog ate our latest log files, but we've still got the ones from two years ago", etc.

        2. FlossyThePig

          Re: 30 quid per victim?

          ...it's thruppence...

          Isn't that a term from pre-decimal currency, when thruppence was a quarter of a bob.

          I can remember just before "D" (decimal) day a pint in the local cost 1/9. That should have become 9p after "D" day but it became 9.5p.

          (Where's the Boring Old Fart icon)

          1. MyffyW Silver badge

            Threepence

            Though in some regions of the country (including my own flattened North Country vowel sounds) it is pronounced thruppence, it is spelt threepence.

            The threepenny bit - or Joey as it was called - also doubles as a bit of rhyming slang for certain bodily functions. No similarity to Equifax should be inferred.

  3. Snow Wombat
    Facepalm

    Meanwhile, in Australia..

    They just updated our laws, so all our transaction data gets sent these arseclowns, with no ability for us to opt out.

    *sigh*

    I'd be more annoyed by my credit history is already a garbage fire, due to the instability of the IT market until recently.

    1. Just Enough

      Meanwhile, in America..

      Equifax has been fined a massive $0.00. Zero, nil, not a sausage. They've been told they are naughty and not to do it again.

      Because profits > people.

      1. JCitizen
        FAIL

        Re: Meanwhile, in America..

        I've been giving my representatives hell about this every since it happened. Slowly it seems congress is finally realizing just how spitting mad the public is about this. As far as I'm concerned, I'd take free credit locking to a fine any day - THAT would really hurt them, but TOO FRICKN BAD!!

  4. herman

    So, the credit history and ID of the Cockney is worth about a tuppence. That sounds pretty high innit?

    1. Colin Bull 1
      Thumb Down

      'So, the credit history and ID of the Cockney is worth about a tuppence. '

      In another lifetime I was a customer of TalkTalk and had a line fault reported to them.

      After this data was nicked I had no written notification from TalkTalk. I did have regular calls from them telling me my modem was showing faults and I needed to do Windows R to get them to fix it. (quoting my address and TT account no to prove it was TT) In the last week this has escalated to 2 calls a day. I know how much my details are now worth in India. Sweet FA.

  5. Mark Exclamation

    "...IT staff failed for months to renew a digital certificate for the device..."

    Actually, it's more likely that IT staff completed the required paperwork for renewal in plenty of time, but said paperwork probably just got bogged down in accounts payable bureaucracy. A company the size of Equifax probably doesn't pay it's bills particularly frequently, and likely has many hoops to jump through to get money spent.

  6. Randall Shimizu

    In my mind Equifax is getting off cheap....!!

    1. Korev Silver badge

      I agree, but the fine is as large as it could be under the old rules.

      1. Doctor Syntax Silver badge

        "I agree, but the fine is as large as it could be under the old rules."

        As the article says but maybe some don't read beyond the headlines.

        What businesses should be taking note of it that the regulator has no qualms about setting maximum fines for the really big offences. A business such as Equifax might be able to shrug off £500k but 4% of global turnover will get their attention and this is a signal that it's not a remote probability in such circumstances. It really is worth while spending money on security.

        Presumably other EU regulators will be looking at whether any of their citizens were affected and issuing their own fines. And if the US continues to be tardy getting round to issuing penalties then that should be taken into account when the Security Figleaf gets looked at again.

        1. MJB7

          Re: Max fine

          "the regulator has no qualms about setting maximum fines for the really big offences" - I don't think that is what is going on here. I think what happened is that GDPR has upgraded the scale for fines like this. In other words the regulator thought about what fine they would levy if GDPR applied, and then capped it at what the DPA allowed.

          I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.

          1. Anonymous Coward
            Anonymous Coward

            Re: Max fine

            I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.

            If the ICO had any spine, they'd have done a "counterfactual" exercise to establish what a similar breach would be worth GDPR, and stated that sum in the press release, and then we could all conclude whether GDPR will have any teeth in practice.

            Even so, looking at the vast and frequent fines and subsequent behaviours in the financial services sector (of which Equifax are part), I'm sure that the evidence is that substantial fines do not change values and behaviours, they merely close off a particular format of transgression. And since Equifax net income/turnover is 17.4%, I'm unconvinced that a 0.4% of turnover fine would actually scare the board.

            1. Anonymous Coward
              Anonymous Coward

              Re: Max fine

              "a 0.4% of turnover fine could actually scare the board."

              Depends. If it's paid from company funds, it'll be a while before company behaviour changes.

              If the penalty was payable by the individuals on the board (same way as megabonuses are payable to the individuals on the board) they might start to think about changing the way they do business.

              Strangely enough, the ICO has recently been talking about similar kinds of thing (e.g. companies going bust rather than paying a corporate penalty).

  7. Anonymous Coward
    Anonymous Coward

    Sorry guys

    [voice of Chris Barry, of the Brittas Empire]

    Let's all sing Kumbaya together...

    1. Aladdin Sane

      Re: Sorry guys

      Excellent...

  8. WibbleMe

    Makes me wonder why this country is in trillion pound debt and we are handing out poxy finds to corps when our business like HSBC get billion dollar fines across the pond

    1. Doctor Syntax Silver badge

      "Makes me wonder why this country is in trillion pound debt"

      Gross financial mismanagement not directly connected to

      "and we are handing out poxy finds to corps"

      Read the article and note that this was the maximum fine under the legislation at the time. Would you be happy if a regulator could just make up penalties at whim? (Think carefully what you ask for before you answer: "Mr Wibble, you were found parking on a double yellow line for the second time. You clearly have disregard for the law. Your car will be taken and crushed and you will serve 3 years in prison.")

      1. P. Lee

        3 years - 5% of life, car crushed-may be 50% of annual income.

        That's too much.

        This case is not, oh no we wiz hacked, it's just more profitable not to be careful than implement good practices.

        That won't change until there is a credible deterrent.

        1. SImon Hobson Bronze badge

          That won't change until there is a credible deterrent

          Which is why GDPR allows fines of up to 4% of GLOBAL turnover (of the group where it's a subsiduary and so on) - so no fudging things to make profits appear negative, or putting turnover through the books of a partner company, or other tricks.

          So Equifax UK could be fined up to 4% of turnover of the whole group, not just of the UK company. What's more, it can continue (daily fines) indefinitely if the company refuses to fix the problem.

          If that's not a deterrent, I don't know what is.

          1. Mark 85

            If that's not a deterrent, I don't know what is.

            Jail time for the board might go a long way also.

          2. Anonymous Coward
            Anonymous Coward

            So Equifax UK could be fined up to 4% of turnover of the whole group, not just of the UK company. What's more, it can continue (daily fines) indefinitely if the company refuses to fix the problem.

            If that's not a deterrent, I don't know what is.

            That won't be a deterrent. There's all manner of things companies can be fined stupid, arbitrary, picked-from-a-bureaucrat's-arse percentages of turnover, but all concerned know that is window dressing. Take Ofgem - probably Britain's most aggressive, combative, regulator. E.ON failed to install AMR devices for business customers by a given deadline, and could have been fined up to 10% of turnover. With turnover of £9 billion, that would be a £900m penalty, right? That'll show the dirty German rotters! Dream on. The company were fined TWO QUID by the regulator, plus a £7m payment to OIfgem's Waifs & Orphans fund. Yes, including the £7m slush fund payment, not even 0.08% of turnover.

            Now, how much do you think Equifax would have been fined under GDPR?

    2. Anonymous Coward
      Anonymous Coward

      @WibbleMe

      That's because our lawmakers are beyond incompetent.

      Also, see how good they are at ensuring corporation taxes are appropriate.

      They just don't give a fig.

  9. Tony Paulazzo

    Ok, I might be being a bit thick here, but why is this shit being held on servers connected to the internet anyway? this and societal infrastructures like nuclear power stations, power grids, NSA snooping et al don't need to google what perversions the latest celebrity has been up to, they should be in company servers not connected to the internet. If they're a world wide organisation have some kind of (oh, I don't know, let's call it a) world wide intranet that can only be accessed physically within the company - they have the money. Nearly unhackable - short of an inside job.

    1. Doctor Syntax Silver badge

      "Ok, I might be being a bit thick here, but why is this shit being held on servers connected to the internet anyway?"

      Because that would mean segmenting their networks and it might be a bit inconvenient. Convenient trumps security and will continue to do so until it gets too expensive.

    2. Anonymous Coward
      Anonymous Coward

      It's being held on machines accessible from the internet so you can make credit reference enquiries over the internet.

      1. Barrie Shepherd

        "It's being held on machines accessible from the internet so you can make credit reference enquiries over the internet."

        Not wholly true - I can't make a credit reference check over the internet (even of my account) to the the depth that other 'trusted' organisations can. It's held on servers connected to the internet so that Equifax can sell the data to third party organisations for credit checking, identity checking etc. - that's their business.

        As they get a fee for each check, a fee that I'm sure is greater than 3 pence, then the fine is just pure noise and in no way forces them to improve their systems.

        Lets face it in the scale of things it's simper to pay the odd fine of £500,000 than spend that much on additional staff, consultants, servers and SW upgrades to rectify poor IT security.

        I'm sure the CFO will report it to the board as "The cost of doing business"

  10. BebopWeBop
    Thumb Up

    Roll on GDPR

  11. Wolfclaw

    Should be £500,000 per persons details, then companies may learn or go bust !

  12. Bavaria Blu
    Flame

    Credit adgencies should be regulated

    I would hope given how important credit ratings are to many citizens' lives, that they would be regulated like banks. This amount of data loss would ideally result in them losing a "licence" to store sensitive personal data.

    It makes be reluctant to given them my information even just to check my credit file.

    It is surprising no legal action can be take for gross negligence? I suppose if you can't prove you've lost out, what they did is not an offence which would result in compensation for the victims.

    1. Anonymous Coward
      Anonymous Coward

      Re: Credit adgencies should be regulated

      Given that undue stress and anxiety could be considered "losing out" there is every chance to go after them. Proving that is another matter, but there is a legal recourse, even if it is open to abuse.

    2. Anonymous Coward
      Anonymous Coward

      Re: Credit adgencies should be regulated

      Credit rating agencies already are regulated, both in the US and EU, on account of their incompetence in the run up to the 2008 financial crisis. But that is sector focused on how they do the job of credit ratings.

      Data protection remains with the "relevant competent authorities" so in the UK the ICO, and the paltry fine reflects the failure of national politicians to update local laws, partly because GRPR was coming along, partly because the likes of Google and Facebook were very effective in lobbying for trivial penalties to continue.

  13. paulc

    Things will not improve until...

    CEOs start facing jail time...

    1. Phil Kingston

      Re: Things will not improve until...

      Perhaps start with CIOs

      1. Mark 85

        Re: Things will not improve until...

        Can't we do both?

  14. Chronos
    WTF?

    Gob = smacked

    "20,000 records included people's names, dates of birth, telephone numbers, and driving license numbers"

    What in seven hells¹ were they doing with driver numbers? More to the point, how did they get them? DVLA being mercenary again? With that, a date of birth and a national insurance number they can pry into all manner of things that are none of their sodding business. So can script kiddies now.

    Time these bastards were brought to heel.

    ¹ obligatory GoT outburst

    1. Barrie Shepherd

      Re: Gob = smacked

      What in seven hells¹ were they doing with driver numbers? More to the point, how did they get them?

      I'd very much like to know that as well.

      I'd also like to know how an American ID checking company, used by Air B&B, are able to use your UK Driving License number to confirm your ID - "just send us a hi res photo of both sides of your license and we will confirm your ID to Air B&B so your rental booking can proceed"

      1. Version 1.0 Silver badge
        Unhappy

        Re: Gob = smacked

        Credit agencies share data - how did they get your drivers licence number - did you pay with a credit card by any chance? You gave them your address and birthday and they cross referenced that to your bank details ... and on and on.

        In the Louisiana all you need is the first and last name, zip code and birth date and you can determine each voters political party from a public web-site. The credit agencies gather all this information and then sell it ...

  15. Anonymous Coward
    Anonymous Coward

    We should be able to GDPR delete it

    Can't we at least use the GDPR individually to have any data they do have on us deleted. OK in the absence of a gigantic data breach you could argue Equifax has a right to hold credit data the banks have asked for the right to transfer to them; but following such an egregious breach it ought to be fair reason to demand Equifax delete everything they have on you (because they can't be trusted to keep it secure) under the GDPR and without any "necessary for business" exclusions.

    1. Anonymous Coward
      Anonymous Coward

      Re: We should be able to GDPR delete it

      You probably can do that. But then you'll have no credit record at all and will have an entertaining time if you want a mortgage, say.

      1. Teiwaz

        Re: We should be able to GDPR delete it

        You probably can do that. But then you'll have no credit record at all and will have an entertaining time if you want a mortgage, say.

        Yeah, you'd be kind of a 'blank Reg'*

        * Max Headroom : 20 Minutes into the Future

        I think we're heading in that direction anyway, a world where credit fraud is considered worse than murder....

    2. JCitizen
      Megaphone

      Re: We should be able to GDPR delete it

      Giving you a FREE credit BLOCK anytime you want it, would be much more effective, and also cause loss of income to the reporting agencies - AWE!!? TOO BAD!

  16. CAPS LOCK

    I'm a bit surprised that Uncle Sam hasn't given Eqifax a thrashing...

    ...after all Senators and Congressmen have been caught up in it.

    1. JCitizen
      Alert

      Re: I'm a bit surprised that Uncle Sam hasn't given Eqifax a thrashing...

      Congress has been threatening more regulations for years, but they kept promising they'd do it without regulation. Well they obviously failed, and pubic uproar finally has the voters asking questions. I've contacted my legislators demanding I be allowed a free credit BLOCK anytime I want it, and that would effectively fix the problem, and also punish the reporting agencies as well. I'll believe it when I see it happen though!!

  17. Crisp

    £500,000 fine?

    Surely that should be per victim.

  18. Kaltern

    Money

    Maybe Equifax should have a 'trust rating', held by some company that measures the level of trust you can have in companies who deal with sensitive data. And anyone can check the rating of said companies, who must display their rating in any and all correspondence and advertising.

    Such a rating should determine how much data they can hold and for how long, subject to GDPR rules. And these companies may not ask to have their rating altered, unless they can prove beyond doubt that their rating is wrong.

    Almost like... a credit rating. How coincidental....

  19. adam payne

    Equifax can appeal the penalty, and if it does cough up the cash,

    Not quite sure on what grounds Equifax could appeal on.

  20. Anonymous Coward
    Anonymous Coward

    They're dodgy.

    I worked for a company a few years ago whose call centre cold called people with their own business.

    I absolutely loathe cold callers so when I, the lowly IT guy, found out, I asked the sales director how this was allowed.

    'Equifax sold us the details, they're business owners, it's alright.' I took a look, and yep, a spreadsheet of customers, their phone numbers, and credit scores. And this scumbag company was targeting the higher credit score ones.

    I resigned and took a contract role elsewhere.

  21. This post has been deleted by its author

  22. adnim

    Paltry fine

    How is that meant to discourage?

    Besides, Equifax could have simply sold the data and claimed a breach.

    £1 per record 15m.... 500k max fine... good business practice.

    Yes I am being silly, but not entirely irrational.

    1. JCitizen
      Devil

      Re: Paltry fine

      Oh they are making out like bandits selling customers "Credit Monitoring" so they can watch over the mistakes of the very reporting agency that caused the problem in the first place! Now does that sound like extortion - YES it does!

  23. Anonymous Coward
    Anonymous Coward

    The penalties have to be high enough...

    ...that shareholders and directors finally realise that saving "expense" on the IT is really, REALLY, stupid.

    A lot of big companies still don't understand that their business IS the IT stuff.

  24. Drs. Andor Demarteau (ShamrockInfoSec)

    Can we really be sure they are now secure? (as claimed)

    "As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect."

    Maybe at the moment the ICO looked at it, but will it stay this way?

    Security is not something you bolt-on nor patch-over afterwards. Security-by-design is a key requirement of the design of networks, systems, software and usage procedures.

    or at least it should be.

    1. David Roberts
      Facepalm

      Re: Can we really be sure they are now secure? (as claimed)

      The phrasing just means that they finally applied the patch.

  25. Aodhhan

    Ironic part is

    ...the information leaked is the same information political campaigns purchase on all of us so they can better target the public for contributions.

    You'll probably never see politicians outlaw the collection of certain data, since they themselves profit from it. Every habit you have, each item you purchase is collected and added to your own little private database for a company to sell. Trends, movements, purchases, etc. Is all bought/sold.

    Human metadata is the new gold, and politicians can't get enough of it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon