Cyber security malpractice has cost US credit reference agency Equifax a record-breaking $700 million (£560 million), after it failed to fix a vulnerability that enabled hackers to gain personal information from customers in the UK, USA and around the world.
The problems began in March 2017, when Equifax was alerted to a “critical security vulnerability” in its system by the Federal Trade Commission (FTC) and ordered to patch it within 48 hours. In July that year, the FTC noticed irregularities in traffic on the Equifax system, which it soon realised was because the fix was never actually completed.
Surely enough, during this time the vulnerability was exploited by hackers, who gained access to an admin file that allowed them to operate the Equifax network. From here they could uncover the personal information of more than 147 million account holders – of which around 15 million were in the UK. Information harvested by the hackers included names, dates of birth, addresses, credit card numbers and driver’s licence numbers.
To make matters worse for Equifax, it emerged later that this admin file wasn’t just unsecured, but stored in plain text – which only served to make the hackers’ lives that bit easier.
Part of the fine (£349 million) will be used for compensation and to cover the cost of credit monitoring facilities for affected customers.
The UK’s Information Commissioner’s Office fined Equifax the maximum £500,000. Had the breach taken place after the EU’s GDPR regulation was introduced, however, the company could instead have been facing a penalty of up to £120 million.
Perhaps most frustrating for the FTC was the ease in which this scenario could have been avoided. Its chairman Joe Simons told sky.com: “Equifax failed to take basic steps that may have prevented the breach.”
One of the investigation leaders, New York attorney general Letitia James was more damning in her verdict. “Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” she said.
“This company’s ineptitude, negligence, and lax security standards endangered the identities of half the US population.”
For its part, Equifax has promised to conduct an annual internal assessment of security risks and for an independent assessment to be completed every two years.