Equifax has been fined £11 million ($13.4 million) for failings during a 2017 data breach which exposed data belonging to millions of customers.
The Financial Conduct Authority (FCA) imposed the penalty on the financial services firm over what it described as a failure to adequately “manage and monitor the security of UK consumer data”.
The Equifax security breach was “entirely preventable”, an investigation by the regulator concluded.
The incident saw threat actors gain access to personal data belonging to nearly 14 million UK consumers. Data exposed in the breach included names, dates of birth, phone numbers, login details, partially exposed credit card information, and customer addresses.
Meet your disaster recovery and business continuity needs without changing your existing VMware infrastructure.
Hackers were able to access personal data because Equifax outsourced it to its parent company’s servers in the US for processing, the FCA said. An investigation concluded that there were “known weaknesses" in the parent company’s data security practices at the time.
“The cyberattack and unauthorised access to data was entirely preventable,” the regulator said in a statement.
“Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.
“There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.”
Equifax communication failures
Equifax was totally unaware that consumer data had been accessed for six weeks in the wake of the breach, the FCA found.
In addition, the UK subsidiary was only informed of the incident five minutes before it was announced by the American parent company.
“This meant Equifax was unable to cope with complaints it received when the incident was announced, and led to delays in contacting UK customers,” the regulator said.
Equifax’s communication with affected customers was below the standards expected of a regulated financial firm. The FCA said that it also gave an “inaccurate impression” of the number of customers affected.
“Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cyber security incident, meaning complaints were mishandled.”
Therese Chambers, the FCA’s joint executive director of enforcement and market oversight, said the impact of the breach was exacerbated by Equifax’s botched handling of the affair and its failure to adequately inform consumers.
“Financial firms hold data on customers that is highly attractive to criminals,” she said. “They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.”
Gain the ability to collect, aggregate, and correlate data more effectively.
The Equifax breach remains one of the largest in UK history six years on from disclosure.
In 2018, the Information Commissioner’s Office (ICO) investigated the breach and imposed a £500,000 fine on the firm, the maximum penalty available to the watchdog under previous regulations.
In a response to the FCA fine, Equifax said it has invested heavily in bolstering its security practices since 2017 and accepts the regulator’s decision.
“Equifax has cooperated with the FCA fully throughout this long running investigation and has been recognized by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident,” said Patricio Remon, president for Europe at Equifax.
“Since the cyber attack against our company six years ago, we have invested over $1.5 billion in a security and technology transformation. Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.”
