Equifax fined $13.4 million over “entirely preventable” 2017 security breach

The Financial Conduct Authority (FCA) has slapped Equifax with a £11 million fine after ruling that the 2017 data breach in which the data of 14 million UK customers was exposed was “entirely preventable”.

Exfiltrated data in the event include names, birth dates, phone numbers, login details, customer addresses, and partially exposed credit card information.

According to FCA, the hack happened because Equifax failed to “manage and monitor the security of UK consumer data”. The said data had been transferred from Equifax UK subsidiary to its US parent company's servers for processing, and according to the investigations, these servers had known security weaknesses.

“The cyberattack and unauthorized access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected,” the regulator said in a statement.

In the ruling, FCA notes that Equifax it took 6 weeks for Equifax to realize it had been breached. Additionally, the UK subsidiary was only informed of the incident five minutes before the American parent company announced it to the public.

“This meant Equifax was unable to cope with complaints it received when the incident was announced, and led to delays in contacting UK customers,” the regulator said.

The regulator added that Equifax communicated poorly with affected UK customers and gave an “inaccurate impression” of the situation. Their communication was below the standards expected of a regulated financial entity, FCA added.

“Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not,” Therese Chambers, the FCA’s joint executive director of enforcement and market was quoted as saying.

The Equifax breach in 2017 remains one of the largest in UK history.

Responding to the ruling, Equifax said it has invested over $1.5 billion in security upgrades since the breach, and they accept the FCA's decision.

“Since the cyber attack against our company six years ago, we have invested over $1.5 billion in a security and technology transformation. Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected,” Patricio Remon, president for Europe at Equifax said.