Brief

Summary:
The Financial Conduct Authority (FCA) has fined Equifax Ltd u00a311,164,400 for failing to manage and monitor the security of UK consumer data outsourced to its parent company in the US. A 2017 cyberattack exposed the personal data of approximately 13.8 million UK consumers, compromising their security and increasing the risk of financial crime. Equifax failed to provide sufficient oversight and did not keep its data secure, despite knowing weaknesses in its parent company's systems. The FCA has emphasized the importance of effective cybersecurity arrangements and the need for firms to maintain the highest standards in data protection.

The FCA has fined Equifax Ltd (Equifax) £11,164,400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime. 

In 2017, Equifax’s parent company, Equifax Inc, was subject to one of the largest cybersecurity breaches in history. Cyber-hackers were able to access the personal data of approximately 13.8 million UK consumers because Equifax outsourced data to Equifax Inc’s servers in the US for processing.

The UK consumer data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.

The cyberattack and unauthorised access to data was entirely preventable. Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.

Equifax did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack. The firm was informed about the incident approximately five minutes before it was announced by the American parent company. This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customers.

Following the cybersecurity breach, Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected. Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.

Regulated financial firms must have effective cyber security arrangements to protect the personal data they hold. Firms must keep systems and software up to date and fully patched to prevent unauthorised access and remain responsible for data they outsource.

When an FCA-authorised firm becomes aware of a data breach, it is essential it promptly notifies affected individuals in a way which is fair, clear and not misleading and implements fair complaints handling procedures.

Therese Chambers, Joint Executive Director of Enforcement and Market Oversight, said: ‘Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.

‘The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.’

Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, said: ‘Cyber security and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.’

Notes to editors

  1. Final Notice.

  2. Given the public interest in this matter, the FCA confirmed its investigation into Equifax Ltd in 2017.

  3. Equifax Ltd agreed to resolve this matter and qualified for a 30% (Stage 1) discount under the Authority’s executive settlement procedures. Were it not for this discount, the Authority would have imposed a financial penalty of £15,949,200 (before 30% discount) on Equifax Ltd.

  4. Equifax Ltd also received a 15% credit for mitigation in acknowledgement of its high level of cooperation during the investigation, the voluntary redress it offered to consumers and the global transformation programme it instituted after the incident.

  5. The Information Commissioner’s Office investigated the data breach and imposed a £500,000 fine on Equifax Ltd in 2018.

  6. The data outsourced was for the Equifax Identity Verifier and Global Consumer Solutions. The Equifax Identity Verifier product is one of the B2B services Equifax Ltd provides to business customers, which helps businesses to verify and authenticate their customers’ identities. Global Consumer Solutions is a product that gives retail consumers access to their credit reports and it also provides a web monitoring service. 

Highlights content goes here...

Summary:

On [Date], the Financial Conduct Authority (FCA) fined Equifax Ltd (Equifax) u00a311,164,400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The financial penalty is a result of a massive cybersecurity breach in 2017, which exposed the personal data of approximately 13.8 million UK consumers.

The incident occurred when hackers accessed the personal data of UK consumers, including names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses, through Equifax Inc’s servers in the US. The breach was entirely preventable, as Equifax failed to provide sufficient oversight of how data it was sending was properly managed and protected. The company was aware of weaknesses in Equifax Inc’s data security systems but failed to take appropriate action.

The FCA found that Equifax responded to the breach poorly, notifying customers five minutes before announcing the incident publicly. This led to delays in contacting affected consumers, and the company made public statements that gave an inaccurate impression of the number of consumers affected. Moreover, Equifax failed to maintain quality assurance checks for complaints following the cybersecurity incident, resulting in mishandled complaints treatment.

The FCA emphasized that regulated financial firms have a duty to keep personal data safe and must have effective cybersecurity arrangements in place. The authority highlighted that firms are responsible for data they outsource and must inform affected individuals promptly and fairly in the event of a breach.

The FCA’s decision imposed a 30% discount on the proposed fine in recognition of Equifax’s cooperation during the investigation and its voluntary redress offer to consumers. Although the fine is significant, it is lower than the initial proposed fine of u00a315,949,200.

Financial Conduct Authority

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Login

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
$125 / month OR $1250 / year
Features
Best for: Researchers, Legal professionals, Academics
Enterprise Plan
Contact for Pricing
Features
Best for: Law Firms, Corporations, Government Bodies