Equifax fined maximum penalty under 1998 UK data protection law

The fine amounts to $664,000.
Equifax settlement
The judge’s decision Monday represents the final approval of a settlement deal initially proposed in July. (Flickr)

Credit monitoring giant Equifax has been hit with the maximum penalty from the UK’s data protection agency for its actions related to the company’s massive data breach.

The U.K. Information Commissioner’s Office issued a fine of £500,000 (about $664,000) for failure to protect information tied to 15 million U.K. residents.

Equifax announced in October 2017 that along with the 145 million U.S. residents impacted by the breach, a file containing 15.2 million records on U.K. citizens was also “attacked.” That number included over 693,000 U.K. residents that had their email address, phone number, driver’s license number or username and password combination stolen.

The fine ties back to the U.K. Data Protection Act of 1998, a law that has been superseded by the European Union’s General Data Protection Regulation (GDPR). The Equifax breach occurred prior to GDPR’s activation.


The fines under GDPR would be extensively larger. Under the new law, companies that suffer a data breach can be fined as much as €20 million or 4 percent of an organization’s annual global revenue, whichever is greater.

“We are determined to look after UK citizens’ information wherever it is held,” Elizabeth Denham, the UK’s information commissioner said in a released statement. “Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

Equifax did not have comment at the time of this article’s publication. CyberScoop has reached out and will update this story when we hear from the company.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts