Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The Financial Conduct Authority (FCA) has fined Equifax, a credit reporting agency, over £11 million due to their failure to protect the data of nearly 14 million UK customers. This cyber security breach is one of the largest ever recorded.
The hackers gained access to names, dates of birth, phone numbers, addresses, and some credit card details of UK consumers in 2017. The FCA has described this attack as “entirely preventable”.
This fine adds to the extensive costs incurred by Equifax as a result of the breach. In 2019, the company agreed to pay a record settlement of almost $800 million to US regulatory authorities for exposing the data of nearly 150 million Americans.
Therese Chambers, the FCA’s joint executive director of enforcement and market oversight, emphasized that financial firms have a responsibility to safeguard data that is highly desirable to criminals. Equifax, according to Chambers, failed in this regard and worsened the situation by mishandling their response to the breach. The FCA states that regulated companies are liable, regardless of whether they outsource or not.
The FCA’s investigation focused on Equifax’s UK unit, which did not consider its relationship with the US parent company as outsourcing and thus lacked sufficient oversight of the data sent to the US. It took the UK unit six weeks after the parent company’s discovery to learn about the data breach, and the announcement was made only five minutes before the UK arm was informed. As a result, the UK unit was ill-equipped to handle complaints, causing delays, as stated by the FCA.
Furthermore, the FCA found that Equifax made several inaccurate public statements about the impact on UK consumers. For example, when a press release in September 2017 suggested that UK data “may potentially have been accessed”, Equifax was already aware that the data had indeed been accessed. The FCA also revealed that when Equifax announced its intention to contact 400,000 UK customers, it created the perception that this was the total number affected, while in reality, potentially 15 million customers were affected.
“Since the cyber attack against our company six years ago, we have invested over $1.5 billion in security and technology transformation,” said Patricio Remon, Equifax’s head of Europe. “Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.”
The fine includes a 30% discount as a result of the company’s agreement to resolve the matter and additional mitigation due to its cooperation with the investigation.
In 2018, the UK’s Information Commissioner’s Office fined the company £500,000 for the same data breach, which was the maximum penalty allowed at that time.
Denial of responsibility! Vigour Times is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.