The UK Financial Conduct Authority (FCA) has imposed a fine of about £11.16m on consumer credit reporting agency Equifax Ltd for failing to handle and monitor the security of UK consumer data it outsourced to its parent company Equifax Inc. based in the US.
According to the FCA, the parent company in 2017 was subject to one of the biggest cybersecurity breaches in history.
The breach allowed cyber-hackers to access the personal data of nearly 13.8 million UK consumers as Equifax outsourced data to Equifax Inc.’s servers in the US for processing.
The consumer data obtained by the hackers included names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details and residential addresses.
According to the financial regulatory body, the cyberattack and unauthorised access to data were fully avoidable.
It also said that Equifax did not treat its relationship with its parent company as outsourcing. As a result, the company was not able to provide sufficient oversight on how the data it sent was managed and protected.
Besides, Equifax’s data security systems had known flaws and Equifax failed to take necessary steps in response to secure UK customer data, said the UK FCA.
Equifax did not uncover that UK consumer data had been accessed until six weeks after Equifax Inc. found the intrusion.
Following the cybersecurity breach, Equifax issued multiple public statements about the incident’s impact on UK consumers, which created a misleading picture of the number of customers affected.
The company also alleged to have mistreated customers by neglecting to continue quality assurance inspections for complaints following the hacking.
FCA Chief Data Information and Intelligence Officer Jessica Rusu said: “Cyber security and data protection are of growing importance to the security and stability of financial services.
“Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.”
