A man and a woman examining a paper with the word Fine attached to a clipboard.

Equifax Faces An £11m Fine From The UK FCA For Its 2017 Data Breach

Equifax, a credit reporting company, was fined £11m by a UK’s Financial Conduct Authority (FCA). The fine was imposed because the company failed to stop cybercriminals from getting access to the personal data of millions of individuals in 2017.

On October 13, 2023, the Financial Conduct Authority (FCA) released news concerning a monetary fine. Under supervision of its US-based parent business, Equifax’s UK branch faced a breach in which cybercriminals got unauthorised access to the personal information of 13.8 million UK individuals.

In 2017, the American credit-monitoring service disclosed a data breach affecting 143 million records. Although the vulnerability was discovered in July 2017, it took another six weeks before it was made public in September.

Equifax data breach
In 2017, Equifax suffered a data breach (Shawn Hill/Shutterstock)

The FCA found after executing an investigation, that the British Equifax branch had sent sensitive information to its US-based parent business for processing, including names, dates of birth, home addresses, login details for Equifax membership, and partially exposed credit card numbers.

Unveiling the Equifax Data Breach Details

A data breach affecting 13.8 million Equifax users in the United Kingdom had a major impact in 2017. The data of these people, according to regulatory authorities, was transmitted to the United States for processing. Bad actors used an unpatched vulnerability in Apache Struts to access sensitive data.

After careful consideration, the FCA concluded that the theft of UK data could have been completely avoided. The administrative vulnerabilities at Equifax resulted from its failure to categorise its connection with its parent business as an outsourced agreement.

Even though Equifax Inc.’s data security systems had vulnerabilities, this ultimately led to insufficient monitoring of how the transferred data was managed and protected.

Equifax discovered the hack affecting UK consumer data six weeks after Equifax Inc. discovered the security problems. Notably, the British office was informed of the incident just a few minutes before its American parent company made the public statement. Due to the short timeframe, Equifax was unable to manage the rise in consumer complaints that followed the public announcement, resulting in considerable delays in reaching out to its UK customers.

The FCA highlighted those inappropriate public statements and a lack of quality assurance checks for resolving complaints after the incident, increasing the severity of the fine. Even though Equifax is one of the biggest credit rating companies in the world, the fine seemed justified.

The regulatory authority emphasised that Equifax had sufficient resources to tackle the breach and unauthorised data access.

According to Therese Chambers, joint executive director for market monitoring and enforcement:

Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe, and Equifax failed to do so. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.

As part of a settlement with the Federal Trade Commission and 50 U.S. states in 2019, Equifax Inc. agreed to pay $575 million to update its security failings during the incident. The same breach resulted in a £500,000 punishment for Equifax in 2018 from the UK’s Information Commissioner’s Office (ICO).

The decision was made after Equifax was found to have violated five of the eight data protection standards listed in the Data Protection Act of 1998 when it comes to protecting the information of UK residents.

Chief Data, Information, and Intelligence Officer at the FCA Jessica Rusu highlighted the growing value of data safety and security in maintaining the stability and security of financial services. She stressed that businesses have a moral responsibility when handling customer data as well as a technological one to maintain sustainability.

The president of Equifax for Europe, Patricio Remon, replied to the situation by highlighting that the corporation has worked closely with the FCA during the investigation. The FCA has also appreciated the company’s cooperation, continuing improvement initiatives, and the voluntary customer settlement programme started after the incident.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts