Equifax suffered a serious cyber attack in 2017 and a total of 146 million people had their personal data exposed online.
It is not the actual breach that has led to the ICO fine, but the findings that Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data and that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.
There is no 100% guarantee that any business, large or small, will be immune from a cyber-attack. You can minimise that risk by putting the most sophisticated security measures in place coupled with educating all of your staff, but you cannot guarantee you won’t be breached.
What you can do, and in deed since the implementation of GDPR you must do, is to prove that your company has put into place the correct security measures to protect the data that you have on your computers and networks. If you cannot demonstrate that you have done all you can to secure the data that you have and your systems are hacked, you will be fined.
Equifax have “got away with it” in the sense that the investigation into this breach occurred before GDPR became EU law – the £500,000 fine was the highest fine possible under the UK's Data Protection Act 1998. Had this occurred after GDPR then Equifax would have been subjected to a fine of up to €20 million, or 4% annual global turnover – whichever was higher.
For all businesses this should stand as a stark warning. All of us have a responsibility to protect the data that we have on our computers, laptops and servers. If all of the contacts that you have on your machine were exposed online for everybody to see, quite apart from the crippling fines, you could see your company’s reputation go down the pan.