The Financial Conduct Authority (FCA) has fined Equifax Ltd (Equifax) £11,164,400 for failing to manage and monitor the security of consumer data it had outsourced to its parent company based in the US.
The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime.
In 2017, Equifax’s parent company, Equifax Inc, was subject to one of the largest cybersecurity breaches in history. Cyber-hackers were able to access the personal data of approximately 13.8 million UK consumers because Equifax outsourced data to Equifax Inc’s servers in the US for processing.
The consumer data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
The cyberattack and unauthorised access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing.
As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.
Therese Chambers, joint executive director of enforcement and market oversight, said: “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so.
“They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.
“The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.”
Jessica Rusu, FCA chief data, information and intelligence officer, added: “Cyber security and data protection are of growing importance to the security and stability of financial services.
“Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.”
Patricio Remon, president for Europe at Equifax, said: “Equifax has cooperated with the FCA fully throughout this long running investigation and has been recognised by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident.
“Since the cyberattack against our company six years ago, we have invested over $1.5bn in a security and technology transformation.
“Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.
“We have built one of the world’s most advanced and effective cybersecurity programs. Our maturity level has exceeded all major industry benchmarks, and our posture – the ability to protect our networks, information, and systems from threats – has ranked in the top 1% of technology companies and top 3% of financial services companies analysed, for three consecutive years.”
