Incident & Breach Response , Security Operations , Standards, Regulations & Compliance
UK FCA Fines Equifax 11 Million Pounds for 2017 Data Breach
Fine Imposed for Failing to Protect UK Customer Data and Misleading BritonsA British financial regulator fined American credit reporting agency Equifax 11 million pounds ($13.4 million) for its role in one of the world's largest data breaches.
See Also: Cyber Insurance Assessment Readiness Checklist
Chinese military hackers in 2017 exploited a vulnerability in Equifax’s online dispute portal to download the personal data of nearly 14 million residents of the United Kingdom as well as approximately 148 million Americans. The hackers - four of whom are under indictment by the U.S. Department of Justice - exploited a well-known vulnerability in the Apache Struts Web Framework that Equifax let go unpatched for months. Their presence inside Equifax's network also went undetected from their initial penetration in mid-May through July 30, 2017.
Describing the incident as "entirely preventable," the British Financial Conduct Authority on Friday imposed a fine of 11.2 million pounds. The regulator also chastised the Atlanta-based company for misleading British consumers on the severity of the breach. Equifax "published several statements following the Incident which gave, most significantly, an inaccurate impression of the number of consumers affected by the Incident," the agency wrote in its decision.
"The risk of identity theft never stops; it is imperative that firms maintain the highest standards in data protection," said Therese Chambers, FCA joint executive director of enforcement and market oversight. "Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach."
Equifax first publicly disclosed the incident in September 2017, almost six months after the initial breach. The company said in an emailed statement attributed to Patricio Remon, president for Europe, that it cooperated with the FCA investigation "and has been recognized by the FCA for that cooperation, our transformation program and the voluntary consumer redress exercise we implemented after the incident." The company since 2017 has invested $1.5 millions in security and technology, the statement added.*
The fine is one of many Equifax has paid to resolve investigations into the incident. The British Information Commissioner's Office fined in 2018 the credit reporting agency 500,000 pounds, the maximum then possible under U.K. law. Equifax in 2019 paid $175 million to a coalition of 48 U.S. state attorneys general and $100 million to the Consumer Financial Protection Bureau, as well as establishing a $425 million fund for U.S. consumers to receive identity protection and refunds for out-of-pocket losses.
*Updated Oct. 13, 2023 21:09 UTC: Adds response from Equifax