Information Commissioner Issues UK’s First Formal GDPR Notice

A data centre, storage, server

Data protection stakes are higher than ever as regulator fines Equifax £500,000 and issues a GDPR notice to firm that worked with Brexit campaigners

The British data protection regulator has fined Equifax £500,000 for failing to prevent the personal data of 15 million UK citizens from being exposed in a 2017 cyber-attack.

Meanwhile, the Information Commissioner’s Office (ICO) also confirmed it has issued the UK’s first notice under the General Data Protection Regulation (GDPR) to a Canadian firm allegedly linked to  the Cambridge Analytica scandal.

Industry observers said the Equifax enforcement action and the GDPR notice indicate that ever more is at stake in protecting individuals’ data.

The massive hack of US-based Equifax systems last year affected the data of some 146 million people, most of them in the US.

data breach‘Failures’ exposed information

But British citizens’ data was also affected and the ICO said Equifax had “failed to take appropriate steps” to protect that information.

“Multiple failures” meant personal data was kept longer than necessary and was exposed to attackers.

Equifax initially said fewer than 400,000 Britons were affected by the hack, but later raised the figure to nearly 700,000.

In October the firm acknowledged that data on a further 14.5 million British individuals had been exposed, but it said in this case the data was less sensitive and would not put people at risk.

The ICO, working with the Financial Conduct Authority, found some 19,993 UK subjects had names, dates of birth, telephone numbers and driving licence numbers exposed.

Hackers accessed names, dates of birth and telephone numbers on a further 637,430 British individuals, and finally up to 15 million UK data subjects had names and dates of birth exposed.

Warning ignored

US authorities had warned Equifax of a critical vulnerability in March of last year, but steps to fix the issue were not taken, the ICO said.

The fine is the maximum under the Data Protection Act 1998, now superseded by the GDPR, which allows for much larger fines.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” information commissioner Elizabeth Denham said. “This is compounded when the company is a global firm whose business relies on personal data.”

Equifax said it was “disappointed” with the ICO’s findings, and said the regulator had noted Equifax’s “broad range” of measures to prevent the recurrence of a similar incident.

“It acknowledges the strengthened procedures which are now in effect,” Equifax said in a statement.

“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

First GDPR notice

Jon Baines, data expert at law firm Mishcon de Reya, said the fine indicates the ever-higher stakes at play in data breaches.

“Equifax will no doubt be smarting from this regulatory action, but also counting themselves fortunate that GDPR did not already apply, with its potentially much higher sanctions,” he said. “The worldwide effect of the security breach involved 146 million people, and other regulators will be observing the ICO’s action with interest.”

Meanwhile, the ICO confirmed late on Thursday that it has issued its first formal notice under the GDPR, to a Canadian analytics firm that worked with Vote Leave during the campaign leading up to the referendum on the UK’s exit from the European Union.

The ICO accused AggregateIQ (AIQ) of processing people’s data “for purposes which they would not have expected”, the BBC reported.

AIQ has appealed against the notice.

Data ‘misuse’

The firm was paid by Vote Leave and other pro-Brexit organisations to target ads at prospective voters during the referendum campaign.

While the data was gathered before 25 May, when the GDPR came into force, the ICO said it was concerned about the “continued retention and processing” of data after that date, which meant the GDPR was applicable.

Earlier this year whistleblower Chris Wylie alleged AIQ was linked to Cambridge Analytica, prompting Facebook to suspend the Canadian firm from its platform along with the London-based consultancy.

AIQ has denied links to now-defunct Cambridge Analytica and has denied wrongdoing.

AIQ declined to comment other than to say that it had appealed the notice.

Mishcon de Reya said the ICO’s notice is phrased in vague terms, something that may be intended to put firms on guard to take an extremely cautious approach with regard to the way they handle data under the GDPR.