The UK’s financial watchdog has fined credit reporting agency Equifax over £11 million for a data breach that took place in 2017.

In what is described by the Financial Conduct Authority (FCA) as one of the largest cybersecurity breaches in history, hackers were able to access the personal information of 13.8 million UK consumers after Equifax outsourced data for processing to the servers of its parent company in the US.

Consumer data accessed by the hackers included names, dates of birth, phone numbers, addresses, Equifax membership login details, and partially exposed credit card details.

The regulator said that the cyberattack was "entirely preventable", explaining that the agency did not treat its relationship with its parent company as outsourcing. This meant that it didn't provide sufficient oversight of how data it was sending was properly managed and protected, it said.

"There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data," added the organisation.

Equifax did not find out that UK consumer data had been accessed until six weeks after the incident, in fact the agency was only informed about the attack around five minutes before it was announced by its parent company Equifax Inc.

The FCA said that this meant the company was unable to cope with complaints it received when the incident was made public, leading to delays in contacting UK customers.

"Financial firms hold data on customers that is highly attractive to criminals," said Therese Chambers, joint executive director of enforcement and market oversight. "They have a duty to keep it safe and Equifax failed to do so."

She continued: "They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not. The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection."

Additionally, the FCA said that the company had made several public statements on the impact of the incident to UK consumers which gave an "inaccurate impression of the number of consumers affected".

The regulator says that the company treated consumers "unfairly" by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.

"Cybersecurity and data protection are of growing importance to the security and stability of financial services," said Jessica Rusu, FCA chief data, information and intelligence officer. "Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information.

"The Consumer Duty makes it clear that firms must raise their standards."

Share Story: