Equifax scores £11.1M slap on wrist over 2017 mega breach
Not quite a pound for every one of the 13.8 million affected UK citizens, and it could have been more
The UK's Financial Conduct Authority (FCA) has fined Equifax a smidge over £11 million ($13.6 million) for severe failings that put millions of consumers at risk of financial crime.
The regulator branded the entire debacle "entirely preventable" – from Equifax's failure to promptly notify regulators to the way in which it misled the public over the severity of a security breach back in 2017.
The original fine should have been greater; the true sum was £15,949,200 ($19,428,836) but the company received a 30 percent discount for agreeing to the penalty early into the proceedings. It also received a 15 percent credit for good behavior during the investigation.
After first opening the investigation in 2017, the FCA's fine comes after the ICO wasted less time imposing a penalty of £500,000 ($609,092) in 2018.
"Cybersecurity and data protection are of growing importance to the security and stability of financial services," said Jessica Rusu, FCA chief data, information, and intelligence officer.
"Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards."
In today's announcement, the FCA reminded UK businesses that regulated financial firms must have robust cybersecurity measures in place to protect personal data, and promptly notify regulators of data breaches in a way that's fair and accurate.
"Financial firms hold data on customers that is highly attractive to criminals," said Therese Chambers, FCA joint executive director of enforcement and market oversight.
"They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.
"The risk of identity theft never stops. Cybercriminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection."
Important info and a quick recap
The two companies involved here are Equifax Ltd and Equifax Inc. There are key differences between the two that are important in fully understanding the case.
Equifax Ltd is the one that just got fined. It's a credit reference agency (CRA) in its own right but also collects and analyzes data from clients and other sources to use for other purposes like marketing.
Its main product is Global Consumer Solutions (GCS) and this is what provides most UK adults with credit reports and web monitoring.
GCS sells its products in two ways: directly to consumers and indirectly to third parties that then sell information to consumers.
The direct UK consumer data from GCS is what was outsourced to Equifax Inc's US servers for processing under a Data Processing Agreement between the two companies.
Equifax Inc is the parent company of Equifax Ltd. It too is a global CRA and was the company that stored and processed UK consumer data on behalf of Equifax Ltd under their agreement.
Despite being part of the same group, the Data Processing Agreement constituted an outsourcing of data, meaning Equifax Ltd was still liable for the issues in the eyes of regulators even though it was Equifax Inc's system blunders that led to the incident.
In 2017, what would come to be known as one of the very worst data breaches in history was announced by Equifax – an incident from which businesses across the world would learn and never attempt to repeat.
From scandalous security practices that allowed attackers in the door to disclosure strategies that would boggle the minds of anyone who came into the workforce post-GDPR, the Equifax breach highlighted a litany of issues.
The patching part
Attackers were able to breach Equifax Inc's servers by exploiting the unpatched Apache Struts vulnerability (CVE-2017-5638).
The investigation into why this wasn't patched revealed that the breach initially began on March 10, 2017, when cybercriminals started scanning the unpatched systems two days after US-CERT issued an advisory about the vulnerability.
On March 9, 2017, a day after it received the alert, Equifax distributed the advisory to its sysdamins but the mailing list wasn't up to date, meaning a number of key staff weren't contacted about it.
The single employee tasked with overseeing software patches failed to identify the vulnerability because they only scanned root directories and not the subdirectory where the Struts flaw was located.
- Equifax software bug messed up credit score calculations for weeks
- Equifax finally coughs up the money for its 2017 monster hack… to the banks for having to cancel your cards
- Equifax is going to make you work for that 125 bucks it owes each of you: Biz sneaks out Friday night rule change
- Equifax to world+dog: If we give you this $700m, can you pleeeeease stop suing us about that mega-hack thing?
The actual data breach occurred two months later on May 13, 2017. The vulnerability was only patched in some areas, leaving the doors open for mass data theft that affected people in the US, UK, and Canada.
Most UK citizens had their names and DOBs accessed. More than a million had their phone number included in this too.
The number of cases that involved names, DOBs, phone numbers (the main three), and another data point were in the tens of thousands. Some had the main three plus email address; or the main three plus driving license number; or home addresses and Equifax membership login usernames, passwords, secret Q&A, and partially exposed credit card details.
The disclosure part
Equifax Inc only became aware of the breach on July 30, 2017, and by August 11, 2017, it knew customer data may have been accessed.
At this point, the FCA argues in the full Final Notice, Equifax should have been aware that UK consumers were affected. Equifax Ltd became certain that UK data was compromised on August 29, 2017, and due to the nature of the Data Processing Agreement between Equifax Ltd and Equifax Inc, the former should have notified UK regulators at least by this point, but ideally on the 11th.
Equifax Inc was told by lawyers on September 5, 2017, that Equifax Ltd needed to tell the ICO. It took two further days to communicate this to Equifax Ltd.
The FCA only learned about the breach in a press report published on September 8, 2017, following Equifax's public disclosure in the late hours of September 7.
A series of phone calls followed in which the FCA said Equifax Ltd was unable to answer basic questions about the nature of the breach. What followed were "frustrating" delays in identifying and remediating the impacted consumer records.
The FCA said in today's announcement that in the weeks after the initial disclosure, "Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected.
"Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled."
Among these misleading statements was its intention to contact fewer than 400,000 UK consumers, implying that only 400,000 people were impacted when in fact Equifax at the time was under the impression that more than 15.1 million customers may have been affected.
On a later call with the FCA, it declined to correct this figure after numerous media reports led with it, citing a variety of reasons including:
- That it should not be "held responsible for journalists who misinterpret the information"
- It would alarm consumers in circumstances where no call-to-action would be given
- Its call center and website would be overwhelmed by consumers' inquiries which would cause further distress to consumers
- Such an announcement would increase the risk by inviting hackers to search online for the accessed data
- In the event of publication this could affect Equifax Inc's share price
After an additional UK dataset was discovered, Equifax issued an updated press release which the FCA again felt didn't accurately communicate the number of consumers affected. Communication issues persisted into October 2018, according to the FCA's notice.
In a statement sent to The Register, Equifax said: "Equifax has cooperated with the FCA fully throughout this long running investigation and has been recognized by the FCA for that cooperation, our transformation program and the voluntary consumer redress exercise we implemented after the incident. Since the cyberattack against our company six years ago, we have invested over $1.5 billion in a security and technology transformation. Few companies have invested more time and resources than Equifax to ensure that consumers' information is protected.
"We have built one of the world's most advanced and effective cybersecurity programs. Our maturity level has exceeded all major industry benchmarks, and our posture – the ability to protect our networks, information, and systems from threats – has ranked in the top 1 percent of technology companies and top 3 percent of financial services companies analysed, for three consecutive years." ®
Biting the hand that feeds IT
