View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 13, 2023

Equifax fined £11m after cyberattack saw data of 13.8 million UK citizens exposed

The company should have taken more care when sharing data with its US parent, the financial watchdog says.

By Matthew Gooding

Credit checking company Equifax has been fined £11.1m over its role in a cyberattack which led to data belonging to 13.8 million UK consumers being exposed to hackers. Financial regulator the Financial Conduct Authority (FCA) has handed out the penalty, saying the threat to British citizens was “entirely preventable”.

Equifax data was hacked in 2017. (Photo by Shawn Hill/Shutterstock)

Equifax UK data was exposed in the March 2017 breach after it shared the information with its US-based parent company, which had had its systems compromised by a hacking gang thought to operate out of China. In total, it is believed that 143 million people from around the world had data stolen during the incident.

Why the FCA has punished Equifax over cyberattack

Following a detailed investigation, the FCA says that UK consumer data accessed by the hackers included names, addresses, dates of birth, phone numbers, Equifax membership login details and partially exposed credit card details.

The regulator described this unauthorised access to data as “entirely preventable”, stating: “Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.

“There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.”

It said Equifax did not find out that UK consumer data had been accessed until six weeks after the initial breach. “The firm was informed about the incident approximately five minutes before it was announced by the US parent company,” the FCA said. “This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customers.”

The regulator also believes Equifax made several public statements on the impact of the incident on UK consumers “which gave an inaccurate impression of the number of consumers affected”. It added: “Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Financial services sector has ‘technical and ethical’ cybersecurity responsibilities

Therese Chambers, joint executive director of enforcement and market oversight at the FCA, said: “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.

“The risk of identity theft never stops. Cybercriminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.”

Equifax has faced multiple lawsuits from consumers in the US over the cyberattack, and in 2019 came to an agreement with the Federal Trade Commission to pay up to $700m in penalties over the incident, including a $300m victim fund. In 2018, the UK Information Commissioner’s Office fined the company £500,000 over the attack, the biggest penalty it could hand out under legislation in place at the time.

Patricio Remon, president for Europe at Equifax, said: “Equifax has cooperated with the FCA fully throughout this long-running investigation and has been recognised by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident.” Remon added that the company has spent $1.5bn on a security and technology transformation project since the cyberattack to bolster its defences.

Jessica Rusu, FCA chief data, information and intelligence officer, said: “Cybersecurity and data protection are of growing importance to the security and stability of financial services.

“Firms not only have a technical responsibility to ensure resiliency but also an ethical responsibility in the processing of consumer information. The consumer duty makes it clear that firms must raise their standards.”

Read more: Snap warned over data risk posed by generative AI chatbot

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.