September 20, 2018 at 12:10AM The Register Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers
Or in other words, no less than 30 quid for each of the affected British citizens. The fine could have been much larger had it fallen under Europe's GDPR.
However, the security breach predates the hardline regulations, which kicked in this year, leaving the UK Information Commissioner's Office (ICO) to hand out its largest possible monetary penalty under the nation's old Data Protection Act: half a million quid.
American credit-score agency Equifax was ransacked in 2017 when miscreants exploited an Apache Struts 2 security vulnerability for which a patch existed yet hadn't been installed by the biz's IT staff. As a result, the cyber-intruders made off with sensitive personal information on roughly 150 million Americans, 15 million Brits, and others.
Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLION
Out of that 15 million, 20,000 records included people's names, dates of birth, telephone numbers, and driving license numbers, 637,000 records included names, dates of birth, and telephone numbers, and the rest: names and dates of birth.
Also, some 27,000 Brits also had their Equifax account email addresses swiped, and 15,000 UK individuals had their names, addresses, dates of birth, account usernames and plaintext passwords, account recovery secret question and answer, obscured credit card numbers, and spending amounts stolen by hackers.
That last lot's information was stored in a document called the "standard daily fraud" report, was built from production data, and held in a file share accessible by sysadmins and other IT staff. Thus, it was accessible to the hackers. Ironically, the file was crafted on a daily basis for Equifax's fraud investigations team to use for probing allegations of credit card scams.
Criminals broke into Equifax's systems between May 13 and July 20, 2017, even though the biz was warned in March that year by US Homeland Security that its IT infrastructure was insecure. Uncle Sam literally told the company that its Struts 2 had a remotely exploitable security hole (CVE-2017-6538) in it.
Due to poor internal processes and auditing, though, the software wasn't patched, allowing crooks to tiptoe through the hole and into the US-based network. We're told Homeland Security's warning was passed through the ranks in Equifax, however its sysadmins did not realize its customer dispute-handling portal running the Struts 2 software needed updating, and thus it was left unpatched.
Miscreants were poking around Equifax's insecure systems as early as March 10, prior to the May intrusion. The ICO probed the computer security breach in parallel with the UK's Financial Conduct Authority, we're told, before settling on handing out the maximum penalty possible.
Elizabeth Denham, Blighty's Information Commissioner, said on Thursday:
This is compounded when the company is a global firm whose business relies on personal data.
We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.
Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress.
Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.
On July 29, last year, the US side of Equifax realized it had been hacked, and then in late August worked out British folks were hit, too. Its IT staff had to replay the database queries run by the hackers on test installations in order to figure out what had been swiped.
On September 7, that year the US side told its UK-based Equifax Ltd the bad news, and a day later, the agency admitted to the ICO that it had been pwned – initially suggesting fewer than 400,000 Brits were affected, then upping that to 1.5 million UK peeps before finally upgrading that figure with an extra zero.
Equifax can appeal the penalty, and if it does cough up the cash, it will be funneled into the UK government's public coffers. We note that, to date, no fine has been levied against the agency in its home nation. ®