Equifax fined £11m over 2017 consumer data breach

The UK’s financial watchdog has fined credit reporting agency Equifax over £11 million for a data breach that took place in 2017.

In what is described by the Financial Conduct Authority (FCA) as one of the largest cybersecurity breaches in history, hackers were able to access the personal information of 13.8 million UK consumers after Equifax outsourced data for processing to the servers of its parent company in the US.

Consumer data accessed by the hackers included names, dates of birth, phone numbers, addresses, Equifax membership login details, and partially exposed credit card details.

The regulator said that the cyberattack was "entirely preventable", explaining that the agency did not treat its relationship with its parent company as outsourcing. This meant that it didn't provide sufficient oversight of how data it was sending was properly managed and protected, it said.

"There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data," added the organisation.

Equifax did not find out that UK consumer data had been accessed until six weeks after the incident, in fact the agency was only informed about the attack around five minutes before it was announced by its parent company Equifax Inc.

The FCA said that this meant the company was unable to cope with complaints it received when the incident was made public, leading to delays in contacting UK customers.

"Financial firms hold data on customers that is highly attractive to criminals," said Therese Chambers, joint executive director of enforcement and market oversight. "They have a duty to keep it safe and Equifax failed to do so."

She continued: "They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not. The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection."

Additionally, the FCA said that the company had made several public statements on the impact of the incident to UK consumers which gave an "inaccurate impression of the number of consumers affected".

The regulator says that the company treated consumers "unfairly" by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.

"Cybersecurity and data protection are of growing importance to the security and stability of financial services," said Jessica Rusu, FCA chief data, information and intelligence officer. "Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information.

"The Consumer Duty makes it clear that firms must raise their standards."

    Share Story:

Recent Stories


Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.

Achieving operational resilience in the financial sector: Navigating DORA with confidence
Operational resilience has become crucial for financial institutions navigating today's digital landscape riddled with cyber risks and challenges. The EU's Digital Operational Resilience Act (DORA) provides a harmonised framework to address these complexities, but there are key factors that financial institutions must ensure they consider.

Legacy isn’t the enemy: what FSIs can do to keep their systems up and running
In this webinar we will examine some of the steps FSIs have already taken to rigorously monitor and test systems – both manually and with AI-powered automation – while satisfying the concerns of regulators and customers.

Optimising digital banking: Unifying communications for seamless CX
In the digital age, financial institutions risk falling behind their rivals if they fail to unite fragmented communications ecosystems to deliver seamless, personalised customer experiences.

This FStech webinar sponsored by Precisely explores vital strategies to optimise cross-channel messaging through omnichannel orchestration and real-time customer data access.