Credit checking company Equifax has been fined £11.1m over its role in a cyberattack which led to data belonging to 13.8 million UK consumers being exposed to hackers. Financial regulator the Financial Conduct Authority (FCA) has handed out the penalty, saying the threat to British citizens was “entirely preventable”.
Equifax UK data was exposed in the March 2017 breach after it shared the information with its US-based parent company, which had had its systems compromised by a hacking gang thought to operate out of China. In total, it is believed that 143 million people from around the world had data stolen during the incident.
Why the FCA has punished Equifax over cyberattack
Following a detailed investigation, the FCA says that UK consumer data accessed by the hackers included names, addresses, dates of birth, phone numbers, Equifax membership login details and partially exposed credit card details.
The regulator described this unauthorised access to data as “entirely preventable”, stating: “Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.
“There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.”
It said Equifax did not find out that UK consumer data had been accessed until six weeks after the initial breach. “The firm was informed about the incident approximately five minutes before it was announced by the US parent company,” the FCA said. “This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customers.”
The regulator also believes Equifax made several public statements on the impact of the incident on UK consumers “which gave an inaccurate impression of the number of consumers affected”. It added: “Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.”
Financial services sector has ‘technical and ethical’ cybersecurity responsibilities
Therese Chambers, joint executive director of enforcement and market oversight at the FCA, said: “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.
“The risk of identity theft never stops. Cybercriminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.”
Equifax has faced multiple lawsuits from consumers in the US over the cyberattack, and in 2019 came to an agreement with the Federal Trade Commission to pay up to $700m in penalties over the incident, including a $300m victim fund. In 2018, the UK Information Commissioner’s Office fined the company £500,000 over the attack, the biggest penalty it could hand out under legislation in place at the time.
Patricio Remon, president for Europe at Equifax, said: “Equifax has cooperated with the FCA fully throughout this long-running investigation and has been recognised by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident.” Remon added that the company has spent $1.5bn on a security and technology transformation project since the cyberattack to bolster its defences.
Jessica Rusu, FCA chief data, information and intelligence officer, said: “Cybersecurity and data protection are of growing importance to the security and stability of financial services.
“Firms not only have a technical responsibility to ensure resiliency but also an ethical responsibility in the processing of consumer information. The consumer duty makes it clear that firms must raise their standards.”