La Financial Conduct Authority (FCA) of the United Kingdom recently imposed a fine of 11 million pounds (11.164.400 to be exact) percredit monitoring agency Equifax for neglecting the management and monitoring of the security of British consumer data which it had outsourced to its US-based parent company.
A case that raises important questions about data security and highlights the importance of cybersecurity in the digital age.
The Equifax case
In 2017 between May and July, Equifax inc, the parent company of Equifax, was victim of one of the largest violations of cybersecurity in history, when some hackers (probably Chinese) managed to access the personal data of 147,9 million Americans, 15,2 million British citizens and approximately 19.000 Canadian citizens. The theft of data from UK consumers was possible because Equifax had outsourced data to servers of Equifax Inc in the United States for processing.
THEHacker attack it happened because Equifax nhad not updated yet your credit dispute website with the new version of Struts, a security framework. Hackers then exploited this vulnerability to gain access to the company's internal servers.
Predictable attack
According to the FCA, the cyber attack and unauthorized access to data could have been avoided because they were "entirely preventable“, but Equifax did not consider the relationship with the parent company to be outsourcing. Consequently it was missing, so, adequate supervision on the management and protection of transmitted data.
"The financial companies they hold customer data that is very attractive to criminals – he commented Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA – They have a duty to keep them safe and Equifax has failed to do so. They compounded this failure with how they mismanaged their response to the data breach.”
The importance of cybersecurity
The case in question once again raises the importance ofaccurate digital security. Nothing should be left to chance if it can be accessed via the network.
THEimportance of cybersecurity can't be emphasized enough, especially in an industry like finance.
Financial companies hold a lot of sensitive customer data such as personal, financial and banking information, and its loss or compromise can have disastrous consequences for the individuals and companies involved.
Equifax made the mistake of not treating its relationship with its parent company as “outsourcing,” and this led to a lack of oversight of how data was managed and protected. Companies must be aware of relationships with third parties and ensure that they share the same security standards.
The company also received criticism for the delay in disclosure details of the breach and how it handled the aftermath of the attack. Immediately after the data breach, Equifax offered a website for consumers to find out if they had been victims of the breach. But the site has been criticized for resembling a phishing site and asking for sensitive information. A demonstration of theimportance not only of prevention, but also of the preparation to address potential violations. Companies must have breach response plans and procedures in place to minimize damage in the event of a cyber attack.
La cybersecurity is not just about data protection, but also third-party oversight, preparation for breaches, and appropriate response. Ignoring these aspects can lead to costly financial consequences and damage your company's reputation. Data security must, therefore, be an absolute priority.