Equifax Data Breach

13% drop in share price and 3 top executives forced to leave

Apply Security Patches Or Else!

Equifax is a US based credit reference agency. They work globally, and on 13th September 2017 Equifax admitted they had been hacked. This wasn't your everyday hack either. It is still hard to get concrete numbers on the size of the breach, one figure says 143 million US customers, then there have been estimates of 44 million UK customers, some residents of Canada were also affected.

But anyone can get hacked can't they? Yes, that is true, more on this later. In fact though, Equifax was hacked through a known vulnerability, for which a patch was available from March 2017. The hack took place after mid-May, and was discovered on 29th July 2017.

As time has passed, some things have become clearer. 44 million records about UK citizens were breached, although many of these contained only names and dates of birth. This isn't a crushing worry unless that data can be cross-referenced by the hackers. Many UK residents (EU Citizens) had more details stolen:

  • 637,000 whose phone numbers were stolen
  • 29,000 whose driving licence numbers were stolen
  • 15,000 who had some of their Equifax membership details, such as usernames and passwords, stolen
  • 12,000 whose email address was stolen

The ICO has been informed, and Equifax are working with the regulator who have advised 'Equifax to alert affected UK customers at the earliest opportunity.'

The Actual Consequences for Equifax

The stock price of Equifax fell by 13% on news of the breach, and the Chief Executive Officer, Chief Information Officer and Chief Security Officer have all been forced to leave.


Equifax Breach Through the GDPR Lens

Security

Equifax would be required to 'implement appropriate technological and organisational measures' to ensure they keep the data secure. Their failure to patch a known vulnerability when handling such volumes of such sensitive personal data are clear grounds for administrative fines.

Breach Notification

From becoming aware of a breach, you have 72 hours to notify the regulator. The breach was detected on 29th July 2017. The ICO should have been notified by 2nd August 2017, and that is being charitable. Data subjects have not yet been notified of the data breach, and given the nature of the data involved, some of them certainly should have been, without undue delay. These shortcomings are further grounds for administrative fines.

Hypothetical Financial implications under GDPR

We will never know how this might have been handled by the ICO, so what follows is pure speculation. If you don't like the numbers we have used, choose you own, and assess the impact.

Administrative Fines

Under GDPR the maximum administrative fine is £17 Million or 4% of last years Revenue, whichever is larger. Revenue for Equifax in 2016 was $3,144,000,000, so the maximum fine would be $125,760,000.

Now, how much of that tariff should they pay?

Did they take protecting our personal data seriously? It doesn't seem like it. Did they care about keeping us safe by letting us know about the data breach as soon as possible? Probably not what would be required.

Maybe they aren't in for 100%, but maybe the ICO has a record for using 80% of the maximum in serious cases, such as TalkTalk. That would be $100 million perhaps.

Class Actions

GDPR means data subjects can also have a slice of that action. And let's assume that with up to 44 million UK citizens affected, some legal team might find that tempting.

Let's just imagine for a minute, maybe 20 million were actually affected, but only 10% of them can be persuaded to join a class action.

Now let's imagine 2 classes:

  • 1. Data likely to pose a serious risk to the rights and freedoms of data subjects - 20% of those involved in the class action = 400,000 people
  • 2. Data NOT likely to pose a serious risk to the rights and freedoms of data subjects - 80% of those involved in the class action = 1.6 million people

After years in Court, it may be reasonable to think a judge might award £1,000 to each in class 1, and £250 to each person in class 2

That might represent a further £800 million, just for those affected in the UK!

The outcome for Equifax could easily have been so much worse after 25th May 2018. Imagine the share price hit under this circumstance.


What Went Wrong

From the outside it is hard to be certain about details, however it seems clear the security of personal data was simply not significant enough in the culture of the organisation. They had a Chief Security Officer, but clearly he wasn't functioning in that role, perhaps because the culture restricted him. Best practice suggests, and GDPR requires, top management buy-in about personal data security matters, and envisages a world of personal data protected 'by default and by design'.

Anyone can get hacked, Equifax had a Chief Security Officer, and it still happened, so how well are you placed?

But Equifax could have prevented it with simple vulnerability patching. So many preventative measures are realtively simple. Equifax could have shown they had considered personal data protection important by holding records.

The increasing threat of cyber crime, and the increasing volumes of personal data held mean many organisations are at signifacant risk.

GDPR makes those risks very large.


If you need proper advice about GDPR, contact us!

FREE initial consultation!

Call now on 0800 2800 679

eMail enquiries@dept679.com