UK FCA Fines Equifax 11 Million Pounds for 2017 Data Breach

A British financial regulator fined American credit reporting agency Equifax 11 billion pounds for its role in one of the world’s largest data breaches.

See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations

Chinese military hackers in 2017 exploited a vulnerability in Equifax’s online dispute portal to download the personal data of nearly 14 million residents of the United Kingdom as well as approximately 148 million Americans. The hackers – four of whom are under indictment by the U.S. Department of Justice – exploited a well-known vulnerability in the Apache Struts Web Framework that Equifax let go unpatched for months. Their presence inside Equifax’s network also went undetected from their initial penetration in mid-May through July 30, 2017.

Describing the incident as “entirely preventable,” the British Financial Conduct Authority on Friday imposed a fine of 11,164,400 pounds. The regulator also chastised the Atlanta-based company for misleading British consumers on the severity of the breach. Equifax “published several statements following the Incident which gave, most significantly, an inaccurate impression of the number of consumers affected by the Incident,” the agency wrote in its decision.

“The risk of identity theft never stops; it is imperative that firms maintain the highest standards in data protection,” said Therese Chambers, FCA joint executive director of enforcement and market oversight. “Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach.”

Equifax first publicly disclosed the incident in September 2017, almost six months after the initial breach. The company did not immediately respond to a request for comment.

The fine is one of many Equifax has paid to resolve investigations into the incident. The British Information Commissioner’s Office fined in 2018 the credit reporting agency 500,000 pounds, the maximum then possible under U.K. law. Equifax in 2019 paid $175 million to a coalition of 48 U.S. state attorneys general and $100 million to the Consumer Financial Protection Bureau, as well as establishing a $425 million fund for U.S. consumers to receive identity protection and refunds for out-of-pocket losses.