News Hub

FCA fines Equifax £11m for one of history’s ‘largest cybersecurity breaches’

Written by Tue 17 Oct 2023

The Financial Conduct Authority (FCA) has fined Equifax Ltd (Equifax) £11,164,400 ($13,585,455) for its role in one of the ‘largest cyber-security breaches in history’.

The UK’s financial watchdog said the consumer credit reporting agency failed to effectively oversee and safeguard the security of UK consumer data. This data had been outsourced to Equifax Inc, Equifax’s parent company in the US.

Equifax agreed to resolve the matter and qualified for a 30% (Stage 1) discount under the Authority’s executive settlement procedures. Were it not for this discount, the FCA said it would have imposed a financial penalty of £15,949,200 ($19,403,079) on Equifax.

‘The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection,” said Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA.

President for Europe at Equifax, Patricio Remon, said the company has cooperated with the FCA ‘fully throughout this long running investigation’.

“Since the cyberattack against our company six years ago, we have invested over $1.5 billion (£1.8 billion) in a security and technology transformation. Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected,” said Remon in a statement.

Equifax Ltd received a 15% credit for their cooperation during the investigation, their voluntary compensation to affected consumers, and the global transformation program they implemented after the incident.

The Information Commissioner’s Office investigated the data breach and imposed a £500,000 ($608,632) fine on Equifax Ltd in 2018.

What are the facts of the Equifax hack? 

The FCA said the 2017 breach allowed hackers to access personal data of around 13.8 million UK consumers. UK consumer accessed by the hackers included names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.

The FCA said the cyberattack and unauthorised access to data was entirely preventable.

Crucially, Equifax did not treat its relationship with its parent company as outsourcing. Due to this, the company failed to provide ‘sufficient oversight’ of how data it was sending was properly managed and protected.

The financial watchdog stated there was known weaknesses in Equifax Inc’s data and security systems. However, Equifax failed to take ‘appropriate action’ to protect UK customer data.

Equifax was not informed that UK consumer data had be accessed until six weeks after Equifax Inc had discovered the breach.

The FCA said Equifax was informed of the incident ‘approximately five minutes before’ it was announced by the American parent company. Therefore, Equifax was unable to cope with the complaints it received when the incident was announced. UK customers experienced delays in being contacted by Equifax as a result.

The Joint Executive Director of Enforcement and Market Oversight at the FCA, Therese Chambers, said financial firms have a duty to keep data safe that is highly attractive to criminals.

“Equifax…compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not,” said Chambers.

After the cybersecurity breach, Equifax provided inaccurate information to UK consumers regarding the extent of the incident. Additionally, the FCA said the company mishandled complaints by neglecting quality assurance checks, treating consumers unfairly.

The FCA stressed regulated financial firms ‘must have effective cyber security arrangements’ to protect the personal data they hold.

“Cyber security and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information,” said Jessica Rusu, Chief Data, Information and Intelligence Officer at the FCA.

When an FCA-authorised firm identifies a data breach, it must promptly inform affected individuals transparently and without misleading them, while also establishing fair complaint handling procedures.

Hungry for more tech news?

Sign up for your weekly tech briefings!

Written by Tue 17 Oct 2023

Send us a correction Send us a news tip