The UK Monetary Conduct Authority (FCA) has fined Equifax Ltd £11,164,400 for failing to handle and monitor the safety of UK client knowledge it had outsourced to its mum or dad firm based mostly within the US.
The breach allowed hackers to entry the private knowledge of thousands and thousands of individuals and uncovered UK shoppers to the danger of monetary crime.
In 2017, Equifax’s mum or dad firm, Equifax Inc, was topic to one of many largest cybersecurity breaches in historical past. Cyber-hackers have been in a position to entry the private knowledge of roughly 13.8 million UK shoppers as a result of Equifax outsourced knowledge to Equifax Inc’s servers within the US for processing.
The UK client knowledge accessed by the hackers ranged from names, dates of start, cellphone numbers, Equifax membership login particulars, partially uncovered bank card particulars, and residential addresses.
The cyberattack and unauthorised entry to knowledge was totally preventable. Equifax didn’t deal with its relationship with its mum or dad firm as outsourcing. Because of this, it failed to supply enough oversight of how knowledge it was sending was correctly managed and guarded. There have been identified weaknesses in Equifax Inc’s knowledge safety methods and Equifax did not take applicable motion in response to guard UK buyer knowledge.
Equifax didn’t discover out that UK client knowledge had been accessed till 6 weeks after Equifax Inc had found the hack. The agency was knowledgeable in regards to the incident roughly 5 minutes earlier than it was introduced by the American mum or dad firm. This meant Equifax was unable to deal with complaints it acquired when the incident was introduced and led to delays in contacting UK prospects.
Following the cybersecurity breach, Equifax made a number of public statements on the affect of the incident to UK shoppers which gave an inaccurate impression of the variety of shoppers affected. Equifax additionally handled shoppers unfairly by failing to keep up high quality assurance checks for complaints following the cybersecurity incident, that means complaints have been mishandled.