What did the investigation find?
The ICO found that customer data was kept for longer than necessary, and was left vulnerable to hackers due to multiple failures in IT systems and auditing.
It also said that the US Department of Homeland Security had warned Equifax about vulnerabilities in its systems in March 2017 before the hack, but that Equifax had not taken sufficient steps to address this.
Elizabeth Denham, information commissioner at the ICO, said: “We are determined to look after UK citizens’ information wherever it is held.
“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
She added: “Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress.”
The investigation was carried out under the Data Protection Act 1998, rather than the current GDPR rules, as the failings happened before the stricter rules came into force in May this year. Under the new rules the ICO can fine companies up to £17 million or 4% of global turnover.