UK regulator hits Equifax with £11mn fine over cyber breach

Unlock the Editor’s Digest for free

Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.

The Financial Conduct Authority has fined credit reporting agency Equifax just over £11mn for failing to protect the data of nearly 14mn UK customers caught up in one of the largest ever cyber security breaches.

Names, dates of birth, phone numbers, addresses and some credit card details of UK consumers were all accessed by the hackers in 2017, in an attack that the FCA on Friday called “entirely preventable”.

The penalty adds to the significant bill from the incident for the Atlanta-based group, which in 2019 agreed to pay almost $800mn in a record settlement with US regulatory authorities after the hackers obtained the data of nearly 150mn Americans.

Therese Chambers, the FCA’s joint executive director of enforcement and market oversight, said financial firms had a duty to keep safe data that was “highly attractive to criminals”.

Equifax, she said, failed to do this and “compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.”

The credit data company’s UK unit, the subject of the investigation, did not treat its relationship with its US parent as outsourcing, and so did not have sufficient oversight of the data that it sent to the US, regulators said.

The UK unit did not find out that local consumer data had been accessed until six weeks after the parent had discovered it, and was informed by its parent about the events “approximately five minutes” before the group made an announcement. That meant the UK arm was unable to cope with complaints, leading to delays, the FCA said. 

The group also made several inaccurate public statements regarding the impact on UK consumers, the FCA said. Its report found, for example, that when a press release in September 2017 said UK data “may potentially have been accessed”, Equifax was aware that it indeed had been.

When Equifax said at the same time that it intended to contact 400,000 UK customers, creating a perception that this was the number affected, it knew that potentially 15mn customers had been affected, according to the FCA.

“Since the cyber attack against our company six years ago, we have invested over $1.5bn in a security and technology transformation,” said Patricio Remon, Equifax’s head of Europe. “Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.”

The fine included a 30 per cent discount after the company agreed to resolve the matter, and further mitigation for its co-operation with the investigation.

The company received a £500,000 fine from the UK’s Information Commissioners’ Office in 2018 for the same data breach, the maximum penalty allowed at the time of the hack.