The UK’s financial watchdog has imposed an £11 million ($21.2 million) fine on Equifax, a consumer credit rating agency, for its involvement in what’s described as “one of the largest” cybersecurity breaches in history.
In 2017, Equifax’s parent company in the United States experienced a massive cybersecurity breach, affecting the personal data of up to 147.9 million US consumers. The Financial Conduct Authority (FCA) in the UK revealed that 13.8 million UK consumers were also at risk because their data was stored on US-based company servers. The compromised information included names, dates of birth, Equifax membership login details, partially exposed credit card details, and addresses.
The FCA criticized the incident, stating that the cyberattack and unauthorized data access were entirely preventable and exposed UK consumers to financial crime risks. Equifax responded by noting its full cooperation with the FCA during the investigation and highlighting its substantial investments in security and technology transformation, totaling over $1.5 billion since the cyberattack six years ago.
The FCA pointed out that the UK branch of Equifax only became aware of the data breach six weeks after the parent company’s discovery, and it identified known security weaknesses in Equifax Inc’s systems that weren’t addressed.
Equifax’s fine was reduced because the company agreed to address the matter and cooperate closely with the FCA. In 2018, the UK’s Information Commissioner’s Office had previously fined Equifax Ltd £500,000.