The UK’s financial regulator has fined Equifax Ltd. over £11m ($13.4m) for failing to protect UK consumer data stolen in the notorious 2017 data breach.
The Financial Conduct Authority (FCA) announced the financial penalty on October 13, 2023. The FCA stated that Equifax’s UK business failed to take appropriate action to protect the personal data of 13.8 million UK consumers held by its US-based parent company.
In 2017, the US-based credit-monitoring service reported a data breach of 143 million records. The incident was discovered in July 2017, but it was another six weeks before it was disclosed to the public in September.
Theft of Data Was Preventable
During the incident, threat actors exploited an unpatched Apache Struts vulnerability to gain access to the sensitive information.
Hackers were able to access the details of UK consumers because Equifax Ltd. had outsourced data to Equifax Inc’s servers in the US for processes. This included names, dates of birth phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
The FCA ruled that the theft of UK data was “entirely preventable.” However, as Equifax did not treat its relationship with its parent company as outsourcing, it did not provide sufficient oversight of how the data it was sending was managed and protected. This is despite there being “known weaknesses in Equifax Inc’s data security systems.”
The regulator noted that Equifax Ltd did not find out that UK consumer data had been accessed until six weeks after its parent company had discovered the hack. The UK business was only informed approximately five minutes before the official announcement in September 2017.
This led to delays in informing UK customers that their information had been accessed.
Misleading Statements and Mishandling Complaints
The FCA said Equifax Ltd’s public statements on the impact of the incident “gave an inaccurate impression of the number of consumers affected.”
It added that the firm mishandled complaints from UK consumers by failing to maintain quality assurance checks for the complaints.
Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA said that regulated financial firms are responsible for their customers’ data, regardless of whether it is outsourced or not.
“The risk of identity theft never stops. Cyber-criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection,” she warned.
Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, added that the severe penalty underlines the fact that cybersecurity and data protection are crucial to the security and stability of financial services.
“Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards,” she said.
In 2019, Equifax Inc. agreed to pay $575m as part of a settlement with the Federal Trade Commission and 50 US states for its security failings during the incident.
In 2018, the UK Information Commissioner’s Office (ICO) issued £500,000 fine to Equifax in relation to the same incident. Equifax was found to have contravened five out of eight data protection principles of the Data Protection Act 1998 in protecting the data of UK citizens.
