The Equifax case study from a UK perspective

We have all witnessed or read of a sequence of concerning data breaches and cyber attacks in recent times. This has affected well-known high-street names such as Boots, BA and the BBC who were attacked via an outsourced provider that managed their payroll which had allowed hackers in. When we look back at the history of data breaches the Equifax case, which in the US dates back to 2017 though fines in the UK have only recently been issued, gives us some of the clearest lessons on the importance of having structures in place to support resilience.

In March 2017, Equifax, a credit reporting agency that assesses the financial health of a large number of people in the US, suffered a data breach relating to the personal data of over 140 million consumers. The attackers entered supposedly secure systems and stole terabytes of data. The hack occurred via the company’s consumer complaints web portal which was not adequately segregated from core systems. The company was criticised severely in respect of their lax response to the breach. Equifax was left facing dozens of lawsuits and government investigations.

Now, the UK implications of the case have also been analysed. Cyber-hackers were also able to access the data of approximately 13.8 million UK consumers because Equifax in the UK outsourced data to Equifax Inc’s servers in the US for processing. Data accessed included names, dates of birth, phone numbers, Equifax membership login details, partial details of credit cards and residential addresses.

The financial watchdog in the UK, the FCA, has now fined Equifax Ltd £11,164,400 for their role in what is one of the largest security breaches in history. The UK ICO had also imposed a fine of £500,000 for the same incident in 2018.

However, cyberattack and the unauthorised access was preventable. The FCA report concluded that the UK Equifax entity did not treat its relationship with its US parent company as outsourcing. There was no vigilance over how the data sent to the US was managed or protected. There was an awareness of the weakness of the US parent’s systems yet there was inadequate attention to the protection of Equifax’s UK consumer data which should have been segregated. Equifax in the UK also made inaccurate statements on the number of consumers affected. They did not treat customers fairly by failing to maintain quality assurance checks on complaints, meaning that the complaints were often mishandled.

Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, said ‘Cyber security and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards’.

So, in considering the many mistakes made, what can we learn from the UK side of the case:

1. Equifax had clearly failed to implement a comprehensive information security programme with significant consequences.
2. The UK breach could have been prevented if there was adequate segmentation between the UK and US networks.
3. Effective patching would have helped as the US breach was initially hacked through a well-known vulnerability in their customer complaints portal, but which was not patched in a timely or regular way.
4. There was a lack of file integrity monitoring which could have detected the malicious activity taking place within their network.
5. There was an inadequate incident response plan with no clear processes to patch vulnerabilities, prioritise the protection of key assets and ensure the security of key systems.

Hopefully, this will heighten the vigilance of all companies, particularly when considering outsourcing arrangements.