Equifax Ltd, a subsidiary of Equifax Inc, has been fined £11,164,200 by the UK's Financial Conduct Authority (FCA) for a major cybersecurity breach in 2017. The breach allowed cyber-hackers access to the personal data of approximately 13.8 million UK consumers.
FCA Findings: Preventable Cybersecurity Breach
Equifax Inc. had outsourced data to servers in the US for processing, and the breach exposed sensitive information, including names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
The FCA's investigation found that the breach was entirely preventable. However, Equifax Ltd failed to treat its relationship with its parent company as outsourcing. It resulted in a lack of oversight and protection for the data it sent to Equifax Inc.'s servers.
Known weaknesses in Equifax Inc.'s data security systems were not appropriately addressed. Equifax Ltd was also slow to respond to the breach, discovered it six weeks after Equifax Inc., and failed to promptly notify the affected individuals in a clear and fair manner.
FCA's Emphasis: Effective Cybersecurity Arrangements
Equifax Ltd made inaccurate public statements about the impact on UK consumers and mishandled complaints related to the incident. The FCA emphasized that regulated financial firms have a duty to maintain effective cybersecurity arrangements to protect customer data.
It includes keeping systems and software up to date and notifying affected individuals in a prompt and timely manner. Failure to meet these standards can result in significant penalties.
Therese Chambers, the Joint Executive Director of Enforcement and Market Oversight at the FCA, stressed the importance of maintaining high standards in data protection, particularly in the face of the constant threat of cybercriminals.
Jessica Rusu, the Chief Data, Information, and Intelligence Officer at the FCA, underlined that firms have both a technical and ethical responsibility in processing consumer information, with the Consumer Duty emphasizing the need to raise standards in data protection.
In 2018, the Information Commissioner's Office had already investigated the data breach and imposed a £500,000 fine on Equifax Ltd. The recent FCA fine of £11,164,200 underscores the severity of the incident and the regulatory authorities' commitment to holding firms accountable for data breaches and lapses in cybersecurity.