Equifax Ltd, a subsidiary of Equifax Inc, has been fined £11,164,200 by the UK's Financial Conduct Authority (FCA) for a major cybersecurity breach in 2017. The breach allowed cyber-hackers to access the personal data of approximately 13.8 million UK consumers.
FCA's Findings: The Preventable Nature of the Cybersecurity Breach
Equifax Inc had outsourced data to servers in the US for processing, and the breach exposed sensitive information, including names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
The FCA's investigation found that the breach was entirely preventable. However, Equifax Ltd failed to treat its relationship with its parent company as outsourcing. It resulted in a lack of oversight and protection for the data it sent to Equifax Inc's servers.
Known weaknesses in Equifax Inc's data security systems were not appropriately addressed. Equifax Ltd was also slow to respond to the breach; discovered it six weeks after Equifax Inc and failed to promptly notify affected individuals in a clear and fair manner.
Equifax’s British unit was hit with an £11 million fine for one of the biggest cyber-security breaches in history after it failed to manage UK consumer data https://t.co/475IFHmebW
— Bloomberg (@business) October 13, 2023
FCA's Emphasis on Effective Cybersecurity Arrangements
Equifax Ltd made inaccurate public statements about the impact on UK consumers and mishandled complaints related to the incident. The FCA emphasized that regulated financial firms have a duty to maintain effective cybersecurity arrangements to protect customer data.
It includes keeping systems and software up to date and notifying affected individuals promptly. Failure to meet these standards can result in significant penalties, as in this case.
Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA, stressed the importance of maintaining high standards in data protection, particularly in the face of the constant threat of cybercriminals.
Jessica Rusu, FCA Chief Data, Information, and Intelligence Officer, underlined that firms have both a technical and ethical responsibility in processing consumer information, with the Consumer Duty emphasizing the need to raise standards in data protection.
In 2018, the Information Commissioner's Office had already investigated the data breach and imposed a £500,000 fine on Equifax Ltd. The recent FCA fine of £11,164,200 underscores the severity of the incident and the regulatory authorities' commitment to holding firms accountable for data breaches and cybersecurity lapses.