LONDON, U.K. - Equifax's U.K. arm was slapped with a fine worth 500,000 pounds by the U.K. regulator, over the 2017 security breach.
The U.K. regulator slapped the fine on Equifax for its failure to protect the personal information of up to 15 million people in Britain during the 2017 cyber attack.
In a statement issued on Thursday, the Information Commissioner's Office said that it found in its investigation that although Equifax systems in the U.S. were compromised, Equifax Ltd was responsible for the personal information of its customers in Britain.
According to the ICO, its investigation was carried out in parallel with the Financial Conduct Authority and had revealed multiple failures at the company.
The ICO pointed out that the cyber attack, which took place between May 13 and July 30 2017, affected 146 million Equifax customers globally.
It said in its statement that the company's British arm had failed to take appropriate steps to ensure its American parent company, Equifax Inc, which was processing the data on its behalf, was protecting the information.
The ICO said that the multiple failures by the company led to personal information being retained for longer than necessary, which made it vulnerable to unauthorized access.
ICO said that Equifax contravened five out of eight data protection principles of the Data Protection Act 1998, including failure to secure personal data, poor retention practices and lack of legal basis for international transfers of U.K. citizens' data.
Adding that it found that measures that should have been in place to manage the personal information were inadequate and ineffective.
ICO said that its investigation also found significant problems with data retention, IT system patching and audit procedures.
According to the ICO, the investigation found that the U.S. Department of Homeland Security had warned Equifax about a critical vulnerability as far back as March 2017.
It said that it found that sufficient steps to address the vulnerability were not taken by the company despite the warning.
Following the announcement by the regulator, Equifax said that its U.K. office had received the Monetary Penalty Notice from the ICO.
Equifax added that it was now evaluating the notice and its response.
The company also added that it had cooperated fully throughout the investigation.