Equifax hit with £11m fine for 2017 breach
Small potatoes for a breach affecting 14 million UK citizens
The UK's Financial Conduct Authority (FCA) has hit credit rating agency Equifax with an £11 million fine for its role in a 2017 security breach.
Hackers were able to access data on 13.8 million people in the UK, in addition to nearly 148 million US citizens. The data was stored on servers belonging to its Equifax's US parent company, Equifax Inc.
The FCA's investigation found that Equifax's British unit had outsourced sensitive data, including names, dates of birth, residential address, Equifax membership login details, and partially exposed credit card information, to its US-based parent company for processing.
However, it failed to implement the necessary safeguards to protect this data, leaving UK consumers vulnerable to financial crime.
Equifax only became aware of the unauthorised access to UK consumer data six weeks after its American parent company had detected the breach. Moreover, the British unit was notified about the incident just five minutes before Equifax Inc. publicly announced it.
Inaccurate public statements and a lack of quality assurance checks for complaints following the incident also contributed to the severity of the fine, the FCA said - although it seems like a tiny amount for one of the world's biggest credit rating agencies.
The authority emphasised that Equifax could have prevented the cyberattack and unauthorised data access entirely.
The FCA reduced the fine by 30% after Equifax agreed to cooperate with the watchdog and take steps to resolve the matter.
It also received 15% credit for its high level of cooperation during the investigation, its voluntary redress to consumers, and the global transformation programme it implemented in acknowledgment of the data breach.
The Information Commissioner's Office had previously fined the company £500,000 in 2018 for the same data breach: the maximum penalty allowed at the time, pre-GDPR.
The UK regulator's move comes as a reminder about the importance of robust cybersecurity measures and the obligation to promptly notify regulators of data breaches accurately and fairly.
Equifax has already faced substantial fines in the US, having agreed to a nearly $800 million settlement in 2019 for the breach.
Therese Chambers, joint executive director of enforcement and market oversight at the FCA, said: "Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not."
"The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection."
Jessica Rusu, FCA chief data, information and intelligence officer, said: "Cyber security and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards."
Equifax says it cooperated fully with the British regulator throughout the investigation.
"Since the cyberattack against our company six years ago, we have invested over $1.5 billion in a security and technology transformation," said Patricio Remon, president for Europe at Equifax.
"Few companies have invested more time and resources than Equifax to ensure that consumers' information is protected," he added.