FCA fines Equifax £11m over cybersecurity breach
Credit checking agency Equifax has been fined more than £11m by the UK regulator following one of the largest cybersecurity breaches in history, it was confirmed on Friday.
Equifax Inc.
$261.27
11:05 24/12/24
Equifax Inc, the firm’s US parent, was hit by a cyber breach in 2017 that saw hackers gain access to the personal details of around 148m US consumers.
UK customers were also affected, however, because Equifax had outsourced data to the US for processing.
It meant the hackers were able to access the names, dates of birth, phone numbers, partially exposed credit card details, addresses and Equifax login details of 13.8m British consumers.
Imposing the £11.2m fine, the Financial Conduct Authority called both the cyberattack and unauthorised access "entirely preventable".
In particular, it noted there had been insufficient oversight of how the data Equifax was sending to the US was managed and protected, despite "known weaknesses" in Equifax Inc’s data security systems.
Equifax found out about the breach six weeks after the hack was first discovered, and was informed just five minutes before it was publicly announced by Equifax Inc, leaving the UK arm unable to cope with the large number of complaints it received.
Equifax also gave an "inaccurate impression" of the number of consumers affected in its public statements, the FCA said.
Therese Chambers, joint executive director of enforcement and market oversight, said: "Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe, and Equifax failed to do so."
"They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not."
The fine would have been £15.95m but was reduced by 30% after Equifax agreed to resolve the matter. It also received a 15% credit for mitigation in acknowledgment of its high level of cooperation.
Equifax was fined £500,000 by the Information Commissioner’s Office in 2018 over the breach.
Patricio Remon, president for Europe at Equifax, said: "Since the cyberattack…we have invested over $1.5bn in a security and technology transformation.
"We have built one of the world’s most advanced and effective cybersecurity programmes."