Six years later, the Financial Conduct Authority has fined the info provider Equifax UK just over £11 million for failing to protect the data of nearly 14 million British customers involved in one of the largest cybersecurity breaches.
In 2017, a group of hackers gained access to names, dates of birth, phone numbers, addresses, and some credit card details of a vast number of UK and US consumers. The FCA considers this breach to have been “entirely preventable.”
This penalty adds to the record fine that the Equifax group agreed to in 2019, amounting to around $800 million, with US regulatory authorities for the theft of data from nearly 150 million Americans.
The UK branch of Equifax blames part of the fault on the American parent company, accusing it of not promptly communicating the data breach, information that would have allowed for a more efficient handling of the situation. Equifax US allegedly informed its English subsidiary after two weeks and only 5 minutes before the official announcement.
The British authority believes that Equifax UK failed to properly oversee what was essentially an outsourcing of data. Furthermore, it blames Equifax UK for downplaying the severity of the issue, as in a 2017 statement, they referred to the risk that about 400,000 names had been stolen, when it was clear that the number affected was around 15 million people.
On the other hand, Therese Chambers, Executive Director for Market Oversight at the FCA, stated that companies handling citizens’ financial data have a duty to ensure maximum security, as this type of data is considered “highly attractive to criminals.”
Since that cyber-attack, Equifax has initiated a significant transformation in its technological structure and information security policies, investing over $1.5 billion.