Equifax Slapped with £11M FCA Fine Over Data Security Lapse

FCA Fine Equifax

The United Kingdom has finally rendered a decisive judgment on a long-standing matter involving Equifax, which experienced a grievous data breach in 2017. The credit bureau inadvertently disclosed the credit histories and other sensitive information of 143 million customers.

Today, the UK’s financial regulator, the Financial Conduct Authority (FCA), announced a penalty for Equifax Ltd., amounting to over £11 million (equivalent to 13.4 million dollars).

According to the FCA, Equifax Ltd. failed to take the necessary precautions to safeguard the personal data of 13.8 million UK consumers that was held by its US parent company.

In 2017, Equifax reported a security violation where 143 million unique records were lost. This breach was discovered in July 2017, but the information wasn’t made public until six weeks later.

During the incident, hackers exploited a vulnerability in the Apache Struts software to access confidential data. Rumors at the time suggested that hackers might have had access to Equifax networks as early as November 2016, but the bureau denied these claims.

The data of British citizens was reportedly compromised because Equifax Ltd. had outsourced its data processing to its parent company in the US. The FCA stated that the data theft was “entirely preventable.” However, despite known vulnerabilities in the security systems of Equifax Inc., its subsidiary, Equifax Ltd., failed to adequately oversee the protection of transferred data.

The regulator also noted that the UK branch only learned about the consumer data breach six weeks after the parent company detected the hack.

Equifax Ltd.’s public statements regarding the incident painted an inaccurate picture of the number of affected consumers, and the company did not adequately respond to the complaints of UK clients, claims the regulator.

Theresa Chambers of the FCA emphasized that financial firms are duty-bound to protect their clients’ data, regardless of outsourcing practices. Jessica Rusu from the same organization highlighted that the regulator’s decision underscores the importance of cybersecurity for the stability of financial services.

As a reminder, in 2019, Equifax Inc. agreed to pay $575 million as compensation for its security oversights. Additionally, in 2018, the UK Information Commissioner’s Office (ICO) fined Equifax £500,000 for breaching data protection principles.