FCA fines Equifax for part in major cybersecurity breach

Company was implicated in leak that impacted 13.8 million UK consumers

FCA fines Equifax for part in major cybersecurity breach

The Financial Conduct Authority (FCA) has imposed a fine of £11,164,400 on Equifax for a critical failure in managing and overseeing the security of UK consumer data outsourced to its US-based parent company.

The lapse resulted in what is considered one of the largest cybersecurity breaches in history, enabling hackers to gain access to the personal data of millions of individuals in the UK and exposing them to potential financial crime risks.

In 2017, Equifax Inc, the parent company of Equifax Ltd, experienced a massive breach, during which hackers infiltrated the latter’s servers based in the US, where UK consumer data was outsourced for processing. Approximately 13.8 million UK consumers had their personal data compromised due to the breach.

The compromised UK consumer data included names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card information, and residential addresses.

Breach was entirely avoidable, FCA stated

The breach and unauthorised data access were entirely avoidable, the FCA noted. The watchdog stated that Equifax failed to consider its association with the parent company as outsourcing, thereby neglecting to exercise adequate oversight over the management and protection of the data being sent. Equifax Inc’s data security systems had known vulnerabilities, and the firm did not take appropriate measures to safeguard UK customer data, it was suggested.

Equifax was unaware of the breach’s impact on UK consumer data until six weeks after Equifax Inc’s discovery of the hack. The company was informed about the incident only five minutes before the American parent company’s public announcement, hindering Equifax’s ability to manage the complaints and delays in contacting affected UK customers.

Following the cybersecurity breach, Equifax also provided inaccurate information to the public regarding the number of affected consumers, and it mishandled complaints by not maintaining quality assurance checks for complaints related to the incident, the regulator found.

The FCA reiterated that regulated financial entities are obligated to establish effective cybersecurity measures to protect the personal data they hold. This includes keeping systems and software updated and fully patched to prevent unauthorised access. Firms remain responsible for data even when outsourced.

In the event of a data breach, an FCA-authorised firm must promptly notify affected individuals in a fair, clear, and accurate manner and implement appropriate procedures for handling complaints.

FCA joint executive director of enforcement and market oversight Therese Chambers said that as financial firms hold customer data that attracts criminal elements, it is important that they keep it safe at all costs. In this regard, the FCA found that Equifax failed.

“They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not. The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection,” Chambers said.

Update

In a statement provided to Insurance Business on the agreement reached with the FCA Patricio Remon, president for Europe at Equifax, said:

“Equifax has cooperated with the FCA fully throughout this long running investigation and has been recognised by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident. Since the cyberattack against our company six years ago, we have invested over $1.5 billion in a security and technology transformation. Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.

“We have built one of the world’s most advanced and effective cybersecurity programs. Our maturity level has exceeded all major industry benchmarks, and our posture – the ability to protect our networks, information, and systems from threats - has ranked in the top 1% of technology companies and top 3% of financial services companies analysed, for three consecutive years.”

What are your thoughts on this story? Please feel free to share your comments below.