UK regulator fines Equifax £11 million for 2017 data breach

esteria.white

The UK’s financial regulator has fined Equifax Ltd more than £11 million. ($13.4 million) for failing to protect UK consumer data stolen in the notorious 2017 data breach.

The Financial Conduct Authority (FCA) announced the financial sanction on October 13, 2023. The FCA said Equifax’s UK business failed to take appropriate steps to protect the personal data of 13.8 million UK consumers owned by its parent company based in the United States.

In 2017, the U.S. Credit Monitoring Service reported data breach of 143 million records. The incident was discovered in July 2017, but it took another six weeks before it was made public in September.

Data theft was preventable

During the incident, malicious actors exploited an unpatched Apache Struts vulnerability to access sensitive information.

Hackers were able to access UK consumers’ details because Equifax Ltd. had outsourced the data to Equifax Inc servers in the United States for processes. This included names, dates of birth, phone numbers, Equifax member login information, partially exposed credit card details and residential addresses.

The FCA has ruled that data theft in the UK was “entirely preventable”. However, because Equifax did not view its relationship with its parent company as outsourcing, it did not provide sufficient oversight of how the data it sent was managed and protected. This is despite “known weaknesses in Equifax Inc’s data security systems”.

The regulator noted that Equifax Ltd only discovered that UK consumers’ data had been accessed six weeks after its parent company discovered the hack. The British company was only informed about five minutes before the official announcement in September 2017.

This led to delays in informing UK customers that their information had been accessed.

Misleading statements and mishandling of complaints

The FCA said public statements from Equifax Ltd about the impact of the incident “gave an inaccurate impression of the number of consumers affected”.

He added that the company had mishandled complaints from UK consumers by failing to maintain quality assurance checks for complaints.

Therese Chambers, joint executive director of enforcement and market oversight at the FCA, said regulated financial firms are responsible for their customers’ data, whether it is outsourced or not.

“The risk of identity theft never stops. Cybercriminals are sophisticated and innovative; it is imperative that businesses maintain the highest standards of data protection,” she warned.

Jessica Rusu, head of data, information and intelligence at the FCA, added that this severe sanction highlights the fact that cybersecurity and data protection are crucial to the security and stability of financial services.

“Businesses not only have a technical responsibility to ensure their resilience, but also an ethical responsibility in handling consumer information. Consumer Duty makes it clear that businesses need to raise their standards,” she said.

In 2019, Equifax Inc. agreed to pay $575 million as part of a settlement with the Federal Trade Commission and 50 U.S. states for its security failings during the incident.

In 2018, the UK Information Commissioner’s Office (ICO) imposed a fine of £500,000. at Equifax in relation to the same incident. Equifax was found to have breached five of the eight data protection principles of the Data Protection Act 1998 by protecting the data of UK citizens.

Leave a comment