The Financial Conduct Authority (FCA) has imposed a fine of over £11 million on Equifax for inadequately safeguarding customers against a data breach that originated from its US parent company.
In 2017, Equifax failed to protect the personal information of 13.8 million UK consumers and a total of 147.9 million individuals worldwide from cyber hackers, making it one of the most significant cybersecurity breaches in history. This incident prompted the resignation of their CEO and spurred a lawsuit from the Independent Community Bankers of America (ICBA).
The UK financial regulator highlighted that millions of UK consumers were exposed due to this security failure, allowing hackers access to sensitive information, including names, dates of birth, login credentials, phone numbers, partial credit card details, and home addresses of Equifax customers.
Therese Chambers, joint executive director of enforcement and market oversight at the FCA, remarked, “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe, and Equifax failed to do so. This failure was compounded by how they mishandled their response to the data breach. Regulated firms are held accountable, irrespective of whether they outsource data processing. The risk of identity theft is continuous. Cyber criminals are becoming increasingly sophisticated; therefore, it is essential for firms to uphold the highest standards of data protection.”
The FCA concluded that Equifax was negligent, unprepared to safeguard customer information, inadequate in supporting its users, and misleading in its communication regarding the breach.
Jessica Rusu, FCA chief data, information, and intelligence officer, stated, “Cyber security and data protection are increasingly vital to the security and stability of financial services. Firms have both a technical and ethical responsibility to process consumer information securely. The Consumer Duty emphasizes the need for firms to elevate their standards.”
In response, Patricio Remon, President for Europe at Equifax, acknowledged the company’s full cooperation with the FCA during the investigation and noted that Equifax had been recognized for this cooperation, as well as its transformation program and voluntary consumer redress efforts following the incident. He added that since the cyberattack six years ago, Equifax has invested over $1.5 billion in security and technology enhancements, asserting that few companies have committed as much time and resources to protect consumer information.