The Financial Conduct Authority (FCA) imposed a fine of over £11 million on Equifax for its failure to safeguard customer data in the wake of a data breach that was outsourced to its US parent company.
In 2017, Equifax's inability to protect 13.8 million UK consumers, along with a total of 147.9 million individuals globally, from cyberattacks, marked one of the most significant cybersecurity breaches in history. This incident resulted in the CEO's resignation and a lawsuit from the Independent Community Bankers of America (ICBA).
The UK financial regulatory body expressed that this security lapse exposed millions of UK consumers, allowing cybercriminals to access sensitive information such as names, dates of birth, login credentials, phone numbers, partial credit card data, and home addresses of Equifax customers.
Therese Chambers, the joint executive director of enforcement and market oversight at the FCA, emphasized, "Financial institutions possess data highly sought after by criminals, and they bear a responsibility to safeguard it. Equifax's failure in this regard was compounded by their mishandling of the breach response. Regardless of whether they outsource operations, regulated firms are accountable. The threat of identity theft is constant, and it is essential for companies to maintain the highest data protection standards."
The FCA declared Equifax negligent, ill-prepared to protect customer data, inadequate in supporting users, and misleading in addressing the security breach.
Jessica Rusu, Chief Data, Information, and Intelligence Officer at the FCA, underscored the growing significance of cybersecurity and data protection for the stability of financial services. She stated, "Firms have both a technical and ethical obligation to ensure data resilience. The Consumer Duty clearly mandates that firms elevate their standards."
In response to the FCA's actions, Patricio Remon, President for Europe at Equifax, commented, "Equifax has cooperated fully with the FCA throughout the extensive investigation and has received recognition from the FCA for this cooperation, our transformation initiatives, and the voluntary redress program we implemented post-incident. Over the past six years, we have invested more than $1.5 billion in security and technology upgrades since the cyberattack on our company. Few companies have matched Equifax's commitment to protecting consumer information."
