UK’s financial watchdog fines Equifax £11.2m for failure to protect UK consumer data in one of the largest ever cyber security breaches
The UK’s financial watchdog has added to financial consequences of the largest ever cyber security breaches, at American credit checking specialist Equifax.
The Financial Conduct Authority (FCA) on Friday announced that it has fined Equifax Ltd £11.2m ($13.6m) “for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US.”
Equifax had already been fined £500,000 by the UK’s data protection watchdog (the Information Commissioners Office) back in 2018 for failing to prevent the personal data of 13.8 million UK citizens from being exposed in a 2017 cyber-attack.
The Equifax breach back in September 2017 was a hugely damaging affair for the US credit checking agency.
The breach resulted in the theft of data belonging to 143 million US consumers (and 13.8 million British citizens).
Stolen data included names, addresses, social security numbers, and dates of birth.
What made the Equifax breach so damaging, was that the firm had actually discovered the breach back in July 2017 but waited 40 days before telling the world.
Even worse, Equifax’s IT team had known about the vulnerability exploited by the hackers as far back as March 2017, after a security researcher had warned the firm about its vulnerability to a cyberattack months before it actually suffered the breach.
This meant that there were personnel within Equifax’s senior management that knew of the breach long before the firm publicly declared the security incident.
The fallout from the Equifax breach triggered multiple investigations across the world.
In July 2019 Jun Ying, the former Chief Information Officer CIO of Equifax, was sent to federal prison for four months for insider trading over the matter.
At the same time Equifax agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the Federal Trade Commission.
In August 2022 the US Securities and Exchange Commission charged three individuals for illegally tipping and trading in the securities of Equifax, before the company announced it had experienced a massive data breach on 7 September 2017.
Now the UK’s FCA has slapped Equifax with a £11.2m fine for the breach which allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime.
The FCA said it had imposed the fine because Equifax had outsourced data to Equifax Inc’s servers in the United States for processing.
The UK consumer data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses, the FCA noted.
And the watchdog also noted that the cyberattack and unauthorised access to data was entirely preventable.
It said that Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.
The FCA also said there were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.
And the FCA stated that Equifax did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack. Equifax then compounded the problem when it made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected, the FCA noted.
The FCA said that Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.
“Financial firms hold data on customers that is highly attractive to criminals,” said Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA. “They have a duty to keep it safe and Equifax failed to do so.”
“They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not,” Chambers added.
“Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information,” added Jessica Rusu, FCA Chief Data, Information and Intelligence Officer. “The Consumer Duty makes it clear that firms must raise their standards.”
Equifax told Reuters on Friday it has cooperated fully with the FCA throughout the long-running investigation.
“Since the cyberattack against our company six years ago, we have invested over $1.5 billion in a security and technology transformation,” said Patricio Remon, president for Europe at Equifax.
“Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected,” Remon was quoted as saying.