£11.2m Equifax fine takes cost of 2017 breach to £3bn

equifax 2Equifax UK has been slapped with a £11.2m penalty for the 2017 data breach which exposed the personal data of 13.8 million Brits, bringing the total global cost to nearly £3bn ($3.5bn), including other fines and £1.2bn ($1.5bn) spent on beefing up its own data security.

The Financial Conduct Authority said its £11.2m penalty was“for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US”; the Information Commissioner’s Office issued a £500,000 fine – the maximum permitted at the time – back in 2018.

The FCA investigation found that cyber-hackers had been able to access the personal data of UK consumers because Equifax UK outsourced data to Equifax Inc’s servers in the US for processing.

The UK consumer data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.

However, the FCA found that the cyberattack and unauthorised access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.

Equifax did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack. The firm was informed about the incident approximately five minutes before it was announced by the American parent company. This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customers.

Following the cybersecurity breach, the FCA said Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected. Initially it maintained that “fewer than 400,000 UK consumers” had been hit; it then revised this up to 694,000. It later confessed that the figure was in fact 13.8 million.

The FCA also ruled that Equifax treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.

Branded “the greatest security catastrophe of modern times”, the incident affected more than 147 million people worldwide and led to the “retirement” of then CEO Richard Smith as well as a raft of senior executives.

By 2019, the cost of the breach had reached nearly £1.6bn ($2bn), including a £576m ($700m) settlement to the FTC, the Consumer Financial Protection Bureau and numerous state attorney generals. According to Equifax, at the time of the breach, the company had $125m (£103m) in cybersecurity insurance coverage.

In response to the latest fine, Equifax president for Europe Patricio Remon said: “Since the cyberattack against our company six years ago, we have invested over £1.2bn ($1.5bn) in a security and technology transformation.

“Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.”

Related stories
Equifax chief jailed for ‘abuse of trust’ over 2017 breach
Canadian data regulator to monitor Equifax for 6 years
Former Equifax executive sentenced for insider trading
Equifax first to be hit with maximum £500k data fine
Flaw on Equifax system was exposed over 6 months ago
44m Brits could be affected by Equifax US data breach
Equifax rocked as mega hack exposes 143m consumers