The British watchdog Financial Conduct Authority (FCA) on Friday announced that it has fined Equifax Ltd, the UK arm of credit reporting firm Equifax Inc, more than £11 million (approximately $13.5 million) over the massive 2017 data breach.
Roughly 147 million people were impacted by the incident, including 13.8 million UK consumers, after hackers gained access to Equifax servers in the US. In 2020, the US government indicted four members of China’s People’s Liberation Army (PLA) with hacking the credit reporting agency.
The cyberattack began on May 13, 2017, and remained undetected until July 29, 2017. Equifax made an announcement on the incident roughly a month and a half later, on September 7. The FCA launched a formal investigation into the incident in October 2017.
According to the regulator, Equifax Ltd failed “to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US”, leading to the exposure of names, addresses, phone numbers, dates of birth, Equifax membership login details, and partial credit card details.
“The cyberattack and unauthorized access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected,” the FCA notes.
The financial watchdog also notes that Equifax’s data security systems were plagued with known weaknesses and that the company’s British arm “failed to take appropriate action in response to protect UK customer data”.
Furthermore, the FCA points out that Equifax Ltd learned that UK consumer data had been compromised only 6 weeks after the hack was discovered, minutes before the American parent company made the incident public, and that it was unable to cope with complaints it received.
“Following the cybersecurity breach, Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected. Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled,” the FCA also notes.
In a final notice served to Equifax Ltd on October 3, the watchdog notes that the fine should have been of nearly £16 million (roughly $19.4 million).
In 2019, Equifax agreed to pay up to $700 million to settle charges related to the data breach. In 2020, a US court ordered the credit reporting company to invest a minimum of $1 billion in improving its data security stance.