author photo
By SecureWorld News Team
Fri | Sep 21, 2018 | 4:21 AM PDT

In the two years prior to GDPR going into effect across EU, the information security community was buzzing about the fines of up to 4% of global revenue.

So news this week that the UK Information Commissioner's Office fined Equifax £500,000 (about $660,000 US) because of its 2017 mega-breach left many scratching their heads.

Especially considering the company reported annual revenue of $3.1 billion in 2017.

Timing is everything—even in the Equifax mega-breach

Equifax and its shareholders must be thankful the breach happened before GDPR went into effect, because it just saved them a ton of cash.

UK Information Commissioner Elizabeth Denham issued a statement to clarify that her office went as high as they could go under the law:

"Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law."

Before and after GDPR-maximum fines for Equifax

So now we know that the weaker (and much more affordable) 1998 privacy legislation is what applied to the Equifax mega-breach.

These are the Equifax maximum data breach penalties in the UK before and after GDPR:

  • Under 1998 legislation: Approximately $660,000 US (this is what applied to Equifax)
  • Under GDPR: Up to 4% global turnover; for Equifax that puts the 2017 number at somewhere around $124 million US. 

So based on the maximum penalty in this case, Equifax just saved $123,340,000.

It almost sounds like a GEICO commercial, doesn't it? "Hey Equifax, what are you going to do with all the money you saved on your pre-GDPR fine?"

The UK's Monetary Penalty Notice against Equifax is 32 pages long, and you can read all the details if you've got some time.

Speaking of details, don't miss "New Equifax Breach Report: A Must-Read for InfoSec Teams." This is the most detailed look at the Equifax breach to date, with many important lessons in the findings.

Comments