According to the ICO, Equifax UK's parent company in the US -- the one infiltrated by cyberattackers -- processed data on its behalf. It has come to the conclusion that the company's UK division failed to make sure that its American counterpart was protecting UK citizens' information properly. Authorities have also found "significant problems with [the company's] data retention, IT system patching and audit procedures." Further, they've discovered that the US Department of Homeland Security warned Equifax about a critical vulnerability back in March 2017, and it didn't take steps to patch the flaw the hackers ultimately exploited.

The agencies' investigators divided the affected subjects in the country into different categories: the ones that were most affected (19,993 people) had their names, birthdays, phone numbers and driver's licenses stolen. Meanwhile, the first three types of information were exposed for 637,430 subjects. In all, 15 million UK citizens had their names and birthdates exposed, but those unfortunate enough to fall under the first type are clearly the most vulnerable to identity theft.

While £500,000 is chump change for a company like Equifax despite all its financial setbacks since the breach came to light, that's the largest fine authorities can issue, seeing the event happened before GDPR was implemented. Information Commissioner Elizabeth Denham explained:

"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data. We are determined to look after UK citizens' information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law."

Update (09/20/18 8:54AM ET): An Equifax spokesperson has reached out with the company's official statement: