The Financial Conduct Authority (FCA) has belatedly hit “negligent” Equifax with an £11 million fine – six years after a pre-GDPR data breach that saw 13.8 million UK consumers’ data exposed.
The fine was not just for the breach, but for Equifax’s misleading response. It is a 40-fold increase on an earlier fine levied by the Information Commissioner’s Office in 2018 over the data breach.
The incident happened after the company failed to patch against a known Apache Struts vulnerability; sent security alerts to an out-of-date mailing list; and saw an expired certificate prevent a security rule from blocking attackers, among other cybersecurity failings.
The FCA said this week that it had found the company in breach of multiple “Principles” that govern how regulated firms behave.
These include “Principle 3” which requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems, and “Principle 6” which requires a firm to pay due regard to the interests of its customers, the FCA said.
Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, said: “Cyber security and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.”
See also: Boards “cannot outsource their responsibilities” warns Bank of England in new cloud rulebook.
The fine follows an investigation into the cybersecurity incident that also saw the sensitive personal data of 147.9 million Americans and 19,000 Canadians exposed by hackers. This data included names, dates of birth, login details, phone numbers, partial credit card details, and home addresses of Equifax customers, according to the FCA report.
Equifax Inc itself has already agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories which included up to $425 million to help people affected by the data breach, in 2019.
The FCA said: “The cyberattack and unauthorised access to data was entirely preventable… it failed to provide sufficient oversight of how data it was sending was properly managed and protected..."
"There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data," reads a pointed section in the FCA's press release.
For GRC professionals keen to revisit lessons from the breach, the US Government Accountability Office's 2018 post-mortem is a fine start.