Equifax handed £11m fine over major cyber-security breach

Equifax

The FCA has issued a hefty fine of £11m to Equifax as a consequence of their involvement in one of history’s most significant cyber-security breaches.

This massive breach was a direct result of Equifax Ltd’s negligence in overseeing and managing the UK consumer data it had outsourced to its US-based parent company, Equifax Inc.

Equifax came under attack in 2017 in what is described as one of the largest cyber-security breaches ever. Due to the decision of Equifax to outsource data processing to Equifax Inc’s US servers, hackers successfully accessed personal information of an estimated 13.8 million UK consumers.

The compromised UK consumer data included names, dates of birth, phone numbers, Equifax membership login details, partially visible credit card numbers, and residential addresses. A significant concern is that this cyberattack and subsequent unauthorized data access were entirely preventable.

Equifax, mistakenly, did not consider its collaboration with its parent company as outsourcing. This oversight resulted in the lack of proper management and protection of the data sent, despite known vulnerabilities in Equifax Inc’s data protection systems.

Shockingly, Equifax discovered the unauthorised access to UK consumer data a whole 6 weeks after Equifax detected the cyberattack. It was only approximately five minutes before its US counterpart publicised the breach that Equifax Ltd became privy to the situation. This lack of foresight led to an ill-prepared response to customer complaints and a significant delay in notifying affected UK individuals.

Post-incident, the company’s public communications regarding the breach’s impact on UK consumers were misleading, indicating a different number of affected consumers than the actual figure. The firm further aggravated the situation by inadequately addressing complaints following the cyberattack due to absent quality assurance checks, leading to mismanagement of these complaints.

Emphasising the importance of data security, Therese Chambers, Joint Executive Director of Enforcement and Market Oversight, said, ‘Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.’ She added, ‘The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.’

Equally, Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, commented, ‘Cyber security and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.’

Copyright © 2023 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.