The Financial Conduct Authority (FCA) has belatedly hit “negligent” Equifax with an £11 million fine – six years after a pre-GDPR data breach that saw 13.8 million UK consumers’ data exposed.
The fine was not just for the breach, but for Equifax’s misleading response. It is a 40-fold increase on an earlier fine levied by the Information Commissioner’s Office in 2018 over the data breach.
The incident happened after the company failed to patch against a known Apache Struts vulnerability; sent security alerts to an out-of-date mailing list; and saw an expired certificate prevent a security rule from blocking attackers, among other cybersecurity failings.
The FCA said this week that it had found the company in breach of multiple “Principles” that govern how regulated firms behave.
These include “Principle 3” which requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems, and “Principle 6” which requires a firm to pay due regard to the interests of its customers, the FCA said.
Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, said: “Cyber…
