The UK’s Financial Conduct Authority (FCA) has handed down a hefty £11 million penalty to Equifax Ltd, a subsidiary of US-based Equifax Inc, for its role in a 2017 data breach that exposed the personal data of almost 148 million US consumers globally and 13.8 million in the UK.
The investigation by the FCA uncovered that Equifax Ltd had outsourced the management of data like names, dates of birth, login details, partially exposed credit card information, and addresses to its parent company in the US. This decision inadvertently placed UK consumers’ data at risk, as the US servers were subsequently hacked, allowing cybercriminals unauthorized access.
“The cyberattack and unauthorized access to data was entirely preventable,” Equifax said in a press release. “Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.”
In light of the breach, Equifax stated that it has invested over $1.5 billion in security and technological advancements. Patricio Remon, president for Europe at Equifax, reassured that few companies have “invested more time and resources than Equifax” to protect consumer information.
Jessica Rusu, FCA Chief Data, Information, and Intelligence Officer, commented on the breach’s broader implications. “Cyber security and data protection are of growing importance to the security and stability of financial services,” Rusu said. “Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information.”
It’s worth noting that this is not the first penalty for Equifax Ltd concerning this breach. In 2018, the UK’s Information Commissioner’s Office levied a £500,000 fine on the company. The recent fine by the FCA was reduced due to Equifax’s agreement to resolve the matter and its high level of cooperation during the investigation.