Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







Equifax Fined for 2017 Data Breach in the UK

Executive Summary

In 2023, the UK branch of Equifax, a well-known credit reporting firm, received a fine of £11 million (approximately $13.6 million) from the Financial Conduct Authority (FCA) of the UK. The fine was a result of a significant data breach that occurred in 2017.

This breach exposed the personal data of approximately 13.8 million UK consumers and around 148 million individuals in the U.S. The fine was imposed because Equifax failed to effectively manage and monitor the security of the UK consumer data, particularly the data that had been outsourced to servers operated by its U.S. parent company, Equifax Inc.

This incident had a series of legal consequences for Equifax, which also faced fines and settlements in the U.S., including a $575 million settlement in 2019.

About the Breach

In 2017, Equifax suffered one of the largest data breaches in history, impacting about 148 million people in the U.S. and 13.8 million UK consumers. The breach was a result of Equifax Ltd. outsourcing data processing to servers run by its U.S. parent, Equifax Inc., without adequate security measures in place.

The exposed information included names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.

The UK arm of Equifax did not find out about the data compromise involving UK consumer data until six weeks after Equifax Inc. had discovered the hack. The breach was publicly announced by the American parent company before informing the UK arm, which led to a delayed response in managing complaints and contacting the affected UK customers.

About the Fine

The Financial Conduct Authority (FCA) of the UK imposed a fine of over £11 million (approximately $13.6 million) on Equifax Ltd. in 2023 for failing to protect UK consumer data during the 2017 data breach.

The fine was announced on October 13, 2023, and was attributed to Equifax’s failure to “manage and monitor the security of UK consumer data” which was outsourced for processing to servers run by its US parent, Equifax Inc.

This fine is a part of a series of legal repercussions faced by Equifax due to the 2017 data breach.

In 2018, the UK’s Information Commissioner’s Office had separately fined Equifax Ltd £500,000 (then about $668,000) for violating data protection rules due to the same incident.

Moreover, in 2019, Equifax Inc. agreed to pay at least $575 million to settle allegations regarding the incident brought by U.S. state and federal regulators.

Takeaways

The Equifax case underscores the importance of protecting personal information to prevent legal and financial consequences. Even years after the incident, regulatory bodies can impose significant fines on organizations that fail to adequately safeguard consumer data.

Furthermore, this case highlights the crucial role of data management in the age of outsourcing and collaborations with third-party entities. While data processing may be outsourced, the primary company remains responsible for ensuring comprehensive protection of consumer data.

This serves as a reminder to organizations of their ongoing duty to maintain strong data security measures, whether data processing is done in-house or outsourced. Therefore, implementing a robust data governance framework is essential to mitigate risks, avoid legal penalties, and maintain trust with consumers and regulatory bodies.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.