Equifax Fined £11m Over 'Entirely Preventable' Cyber Breach

The Financial Conduct Authority has fined credit reporting firm Equifax £11m for failing to safeguard UK consumer data, which it had outsourced to its parent company based in the US.

The Financial Conduct Authority (FCA) has fined credit reporting firm Equifax £11m for failing to safeguard UK consumer data, which it had outsourced to its parent company based in the US.

In 2017, Equifax’s parent company, Equifax Inc, was subject to one of the largest cybersecurity breaches in history.

Cyber-hackers were able to access the personal data of approximately 13.8m UK consumers because Equifax outsourced data to Equifax Inc’s servers in the US for processing.

The UK consumer data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details and residential addresses.

According to the , the breach was “entirely preventable” because Equifax did not treat its relationship with its parent company as outsourcing.

As a result, it failed to provide sufficient oversight of how the data was managed and protected.

Additionally, the FCA said that "there were known weaknesses" in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.

"Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so," said Therese Chambers, joint enforcement and market oversight director at the FCA.

"They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not," Chambers added.

One legal source commented that the situation was a “comedy of errors”.

Equifax did not find out that UK consumer data had been accessed until six weeks after Equifax Inc had discovered the hack.

The firm was informed about the incident approximately five minutes before it was announced by its US parent company, and this meant Equifax was unable to cope with complaints it received when the incident was announced, which led to delays in contacting UK customers.

Following the cybersecurity breach, Equifax made several public statements on the impact of the incident to UK consumers, which the FCA says gave an inaccurate impression of the number of consumers affected.

Furthermore, the regulator said that Equifax treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning that complaints were mishandled.

When approached by ��žž, a spokesperson for Equifax said that the company has cooperated with the FCA “fully throughout this long-running investigation”.

“We have been recognised by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident.”

Since the cyberattack, the credit reporting company says that it has invested more than $1.5bn to improve security. “Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.”

Regulatory implications

Equifax’s situation shows that both outsourcing and consumer protection are focus points for regulators.

“When it comes to outsourcing, this is an area where I think we can expect to see a lot more focus from the FCA,” said Kathryn Westmore, senior research fellow at the Royal United Services Institute.

Westmore told ��žž that this fine demonstrates the risks from a cybersecurity perspective of not having the appropriate level of oversight, and from other core functions, such as compliance, increasingly being outsourced to third-party providers.

“While there can be cost and operational benefits to a firm, it also brings with it risk,” said Westmore. “I have no doubt that we will see more cases in the future where firms have relied on a third party without the necessary level of scrutiny."

The FCA has also used the enforcement action to channel its flagship new policy, the Consumer Duty rules.

FCA official Jessica Rusu commented that the “the Consumer Duty makes it clear that firms must raise their standards”.

“Cybersecurity and data protection are of growing importance to the security and stability of financial services,” the chief data, information and intelligence officer said. “Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information.”

In the FCA’s guidance on the Consumer Duty, it has that if a firm chooses to outsource elements of its consumer support to a third party, it is responsible for ensuring the support provided meets the duty standard.

Therefore, the firm should have systems and controls in place to monitor this and provide assurance that it is meeting its regulatory obligations.

Meanwhile, in June last year, HM Treasury a policy statement on critical third parties to the financial sector, which included outsourcing.

As with counterparts in the EU, the UK is keen to combat the risks from outages and cyberattacks that can come with outsourcing to third-party providers.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

��žž