The FCA (Financial Conduct Authority) in the UK has imposed a fine of £11,164,400 ($13.5M) on Equifax for failure to secure the data of consumers in the country.
Equifax is a multinational (24 countries) consumer credit reporting agency, one of the largest in the world, which aggregates credit and demographic information on over 800 million people and 88 million companies.
The fine was imposed on Equifax Ltd., in Britain, for outsourcing the data of 13.8 million UK consumers to its US-based parent entity, Equifax Inc., for reasons of central processing. That data was exposed in a massive data breach in 2017 when hackers accessed full names, home addresses, dates of birth, and credit card details.
The breach occurred in July 2017 and impacted over 150 million people in total. It was attributed to a vulnerability in the Apache Struts web application framework, which Equifax failed to patch in a timely manner despite the availability of a fix. It took Equifax Inc. until September 2017 to eventually publicly disclose the incident.
“The cyberattack and unauthorised access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.”FCA
The agency states that Equifax Inc. was plagued by known weaknesses, which Equifax Ltd. should have been aware of and take appropriate preventive action to protect people’s data. Also, the British Equifax segment only learned about the consumer data breach six weeks after the hack occurred and was discovered in the US. This caused a massive delay in informing UK customers who went through an extensive period of heightened risk.
Even after Equifax Ltd. learned about the incident, FCA says the company attempted to downplay the significance of the security event, misreporting details like the number of impacted individuals or leaked data. Any complaints submitted to the firm post-disclosure were also mishandled, and the company failed to provide assurances of security to concerned clients.
The fine on Equifax, six years after the breach, emphasizes the persistent accountability companies have for security lapses. FCA’s action serves as a delayed reminder to organizations about the significance of robust cybersecurity. The massive $13.5M penalty demonstrates that regulatory oversight is enduring, and data protection standards should be upheld consistently, regardless of the time that has elapsed since the occurrence of security incidents.