| Link(s): | https://www.fca.org.uk/news/press-releases/equifax-ltd-fine-cyber-security-breach https://www.fca.org.uk/publication/final-notices/equifax-limited-2023.pdf |
Context
The FCA has fined Equifax Ltd (Equifax) £11,164,400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime, according to the FCA.
Key points to note
- In 2017, Equifax’s parent company, Equifax Inc, was subject to one of the largest cybersecurity breaches in history. Cyber-hackers were able to access the personal data of approximately 13.8 million UK consumers because Equifax outsourced data to Equifax Inc’s servers in the US for processing.
- The UK consumer data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
- The cyberattack and unauthorised access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.
- Equifax did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack.
- Following the cybersecurity breach, Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected.
Next actions
None – for information and awareness.