The Information Commissioner's Office (ICO) in the United Kingdom has issued credit reporting agency Equifax Ltd with a £500,000 ($662,000) fine following an investigation into a cyber attack leading to the loss of millions of customer records in 2017.

An attack targeting Equifax Ltd's parent company, US-based Equifax Inc., between May and July last year may have compromised data of up to 147 million customers, including more than 15 million in the UK.


Equifax Inc. HQ, Atlanta
Equifax Inc. HQ, Atlanta – Google Maps

Information Commissioner Elizabeth Denham said the company had "no excuse" for failing to adhere to its own security policies and the law.

"Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine,” she added.

In the attack, hackers were able to access people's home and email addresses, phone numbers and answers to security questions linked to Equifax accounts.

The breach was revealed by the UK's National Cyber Security Centre, which issued a statement saying that a phishing attack had left customer data, held in the US without UK customers' knowledge, vulnerable to attacks.

Equifax Ltd initially estimated that the breach affected 450,000 of its UK customers, later confirming that a total of 15.2 million files, created between 2011 and 2016, were accessed by the attackers.

The US Financial Conduct Authority (FCA) carried out its own investigation into the breach alongside the ICO. Both found that poor security practices led the company to retain customer data for longer than necessary, making unauthorized access more likely.

Substandard data retention, IT system patching, and audit procedures were uncovered by the probes, and it emerged that the US Department of Homeland Security had warned Equifax Inc. of the vulnerabilities in March 2017, but the company failed to take the appropriate measures to secure its systems.

The £500,000 fine is the maximum penalty possible under the 1998 Data Protection Act; Equifax was found to have violated five out of eight of its guiding principles.

Had the investigation taken place since the General Data Protection Regulation (GDPR) came into force earlier this year, the company would have been liable for up to 4 percent of its worldwide annual turnover.

Equifax Inc. reported revenues of more than $3.6 billion for 2017.

This article has been amended. It previously stated that the fine incurred by Equifax was £500m.