Equifax Hit with £11M Penalty Over 2017 UK Consumer Data Breach Failings

by | Oct 15, 2023

Equifax Ltd., the UK branch of Equifax Inc., has been fined £11 million ($13.4 million) by the Financial Conduct Authority (FCA) for not adequately protecting UK consumers’ personal data during a major breach in 2017. This breach exposed the personal information of 13.8 million UK consumers and revealed significant flaws in Equifax’s data protection practices.

The severity of the penalty highlights the urgent need for higher data protection standards, as emphasized by Jessica Rusu, Chief Data, Information, and Intelligence Officer at the FCA. The breach exposed various mishaps and oversights in Equifax’s data protection protocols, raising concerns about the company’s ability to safeguard consumer data.

Equifax Ltd. was slow to identify the breach, only becoming aware of it six weeks after its parent company discovered the hack in July 2017. It then took an additional six weeks before the breach was made public in September, leaving affected consumers unaware of the compromise of their personal information.

The FCA’s ruling highlighted several issues in Equifax’s practices. One major concern was the company’s failure to treat its relationship with its parent company as outsourcing, resulting in inadequate oversight of data management and protection. This lack of oversight allowed hackers to exploit a vulnerability in Apache Struts, granting them unauthorized access to sensitive information.

Equifax Ltd.’s handling of the breach also faced scrutiny. The company provided inaccurate information about the number of affected consumers, further eroding trust and worsening the impact of the incident.

Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA, issued a stern warning to firms, emphasizing the critical importance of prioritizing cybersecurity and data protection to ensure the stability and security of financial services.

The breach highlighted the challenges faced by Equifax Ltd. in safeguarding the personal data held by its US-based parent company. Outsourcing data to Equifax Inc.’s servers in the US allowed hackers to access the details of UK consumers. This incident emphasizes the responsibility of regulated financial firms to protect their customers’ data, regardless of outsourcing arrangements.

The stolen data included sensitive information such as names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses. The FCA deemed the breach “entirely preventable,” underscoring the seriousness of the situation.

This is not the first time Equifax has faced penalties for its security failings. In 2018, the UK Information Commissioner’s Office (ICO) issued a £500,000 fine for the same incident. Additionally, in 2019, Equifax Inc. agreed to pay $575 million as part of a settlement with the Federal Trade Commission and 50 US states, further highlighting the severity of the company’s security lapses.

As the aftermath of the Equifax breach continues, it serves as a reminder of the critical need for strong data protection measures. Companies must prioritize cybersecurity, regularly patch vulnerabilities, and ensure proper oversight of outsourced data processes.

The Equifax Ltd. case emphasizes the urgent necessity for enhanced data protection standards, both within the company and throughout the financial sector. Only through proactive measures and a commitment to maintaining high standards can firms hope to safeguard their customers’ sensitive information from evolving cyber threats.

In a world where data breaches have become all too common, businesses and regulators must collaborate to prevent future incidents and preserve consumer trust. The Equifax breach is a powerful reminder of the consequences of failing to do so.