The UK’s financial regulator, the Financial Conduct Authority (FCA), has imposed a fine of over £11 million ($13.4 million) on Equifax Ltd. for its failure to protect UK consumer data stolen in the well-known 2017 data breach. The FCA revealed the penalty on October 13, 2023, stating that Equifax’s UK division did not adequately secure the personal data of 13.8 million UK consumers, which was under the control of its US-based parent company.
Furthermore, the data breach, involving the exposure of sensitive information, was ruled as preventable, stemming from the exploitation of an unpatched Apache Struts vulnerability by threat actors.
The breach occurred because Equifax Ltd. had outsourced data to Equifax Inc.’s servers in the US for processing, including information such as names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card data, and residential addresses. The FCA emphasized that the theft of UK data was entirely avoidable, attributing this to Equifax’s lack of oversight and security measures, despite known weaknesses in its parent company’s data security systems. The delay in informing UK customers that their data had been compromised stemmed from Equifax Ltd.’s late discovery of the breach, shortly before the official announcement in September 2017.
The FCA criticized Equifax Ltd.’s public statements, which provided an inaccurate impression of the number of consumers affected, and the mishandling of complaints from UK consumers due to a lack of quality assurance checks. The regulator emphasized that financial firms are responsible for customer data, whether or not it is outsourced. The severity of the penalty underscores the importance of cybersecurity and data protection in the financial services industry, highlighting that firms must uphold high standards for data resiliency and ethics.
In previous settlements, Equifax Inc. agreed to pay $575 million to the Federal Trade Commission and 50 US states in 2019, while the UK Information Commissioner’s Office (ICO) imposed a £500,000 fine in 2018. Equifax was found to have violated several data protection principles during the incident, as per the Data Protection Act 1998.