FCA has fined Equifax Ltd for £11,164,400 for failing to manage and monitor the security of UK consumer data it had outsourced to its US parent, in breach of Principles 3, 6 and 7. In 2017, cyber-hackers caused Equifax Inc to suffer one of the largest cyber-security breaches in history. The fine follows a £500,000 fine imposed by the ICO in 2018.
As a result of the breach, data from approximately 13.8 million people in the UK (as well as nearly 150 million in the US and nearly 20,000 in Canada) was available to cyber-hackers because Equifax Ltd had outsourced it to servers of Equifax Inc in the US for processing, and included information such as names, dates of birth, partially exposed credit card details and residential addresses. The data in question was for the Equifax Identity Verifier product which helps business customers verify and authenticate their customers’ details and the Global Customer Solutions, which gives retail customers access to their credit reports and provides a web monitoring service.
As Equifax did not treat the relationship with its parent company as outsourcing, it did not provide sufficient oversight of how data it was sending was properly managed and protected. The breach was, therefore, entirely preventable, particularly since Equifax was aware of the weaknesses in Equifax Inc’s security systems.
This was worsened by management of the breach. Equifax Ltd did not find out about the breach until 6 weeks after Equifax Inc discovered the hack and only 5 minutes before it was announced by the parent company. FCA learned about the incident through press reports, and when it contacted Equifax Ltd to ask for more information the firm was unable to provide it because it did not at the time have the information. Because Equifax Ltd discovered the information so late, and because it did not have in place arrangements with its parent that allowed it quickly to get the information it needed on affected UK customers, there were delays in dealing with complaints as Equifax Ltd could not handle the volume of complaints. FCA found it also mishandled complaints and failed to treat customers fairly by not maintaining quality assurance checks for the complaints. Further, the public statements Equifax Ltd made on the impact of the incident did not reveal the true extent of the number of UK consumers affected.
FCA stressed that regulated firms must have effective cyber-security arrangements to protect the personal data they hold and to keep systems and software up to date to prevent unauthorised access. If there is a breach, the firms must notify affected individuals as soon as possible in a way that is fair, clear and not misleading. Jessica Rusu, chief Data, Information and Intelligence Officer at FCA also noted the raising of standards that the Consumer Duty requires.
Equifax Ltd benefited from a 30% reduction in fine for settling the action, and a 15% credit for mitigation because of its high level of cooperation, the voluntary redress it offered to consumers and the group’s global transformation programme that followed the incident.