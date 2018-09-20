(Adds details on regulator’s findings, paragraphs 7-12)

Sept 20 (Reuters) - A British regulator on Thursday fined credit reference company Equifax Inc’s UK arm Equifax Ltd 500,000 pounds for failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.

The Information Commissioner’s Office (ICO) said in a statement its investigation found that, although Equifax systems in the United States were compromised, Equifax Ltd was responsible for the personal information of its customers in Britain.

Equifax did not immediately respond to a request for comment on the fine outside regular business hours.

The cyber attack, which took place between May 13 and July 30 2017 affected 146 million Equifax customers globally, the ICO said. bit.ly/2xv5cTk

The British arm of the company failed to take appropriate steps to ensure its American parent company Equifax Inc, which was processing the data on its behalf, was protecting the information, ICO said.

It said the investigation, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the company, which led to personal information being retained for longer than necessary and vulnerable to unauthorised access.

The personal information lost or compromised ranged from names and dates of birth to addresses, passwords, driving licences and financial details.

Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data, ICO said.

ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures.

The investigation also found that the U.S. Department of Homeland Security had warned Equifax about a critical vulnerability as far back as March 2017 and sufficient steps to address the vulnerability were not taken, ICO said.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

Equifax first revealed in September 2017 that it had been the target of a massive data breach, mostly in the United States.