October 13, 2023 at 08:55AM
Equifax has been fined £11 million ($13.6 million) by the UK’s Financial Conduct Authority (FCA) for failing to protect consumers from financial crime. The FCA criticized Equifax for its failure to notify regulators promptly and for misleading the public about the severity of a security breach in 2017. The original fine was £15.9 million ($19.4 million), but Equifax received a 30% discount for agreeing to the penalty early.
Summary:
Equifax Ltd has been fined £11 million by the UK’s Financial Conduct Authority (FCA) for severe failings in its cybersecurity practices. The FCA described the breach as “entirely preventable.” Equifax failed to promptly notify regulators and misled the public about the severity of a security breach in 2017. The original fine was £15,949,200, but Equifax received a 30% discount for agreeing to the penalty early and a 15% credit for good behavior during the investigation. The FCA emphasized the importance of robust cybersecurity measures and the prompt notification of data breaches by regulated financial firms. Equifax’s parent company, Equifax Inc, stored and processed UK consumer data on behalf of Equifax Ltd under a Data Processing Agreement, making Equifax Ltd liable for the issues despite the system failures by Equifax Inc. The breach was caused by the exploitation of an unpatched Apache Struts vulnerability, resulting in extensive data theft affecting people in the US, UK, and Canada. Equifax Inc only became aware of the breach in July 2017 and Equifax Ltd didn’t notify UK regulators until August 2017. Equifax made misleading statements about the number of affected consumers and mishandled complaints following the breach. Equifax has cooperated with the FCA’s investigation and stated that it has invested heavily in cybersecurity since the breach occurred.