Equifax has been fined over £11m for failing to manage and monitor the security of consumer data.

The incident, which took place in 2017 and became one of the largest cyber security breaches in history, allowed hackers to access the personal data of approximately 13.8 million UK consumers because Equifax outsourced data to Equifax Inc’s servers in the US for processing.

The data accessed by the hackers ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details and residential addresses.

The Financial Conduct Authority said the attack and unauthorised access to data was “entirely preventable”, that Equifax did not treat its relationship with its parent company as outsourcing, and that, as a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in Equifax Inc’s data security systems, it said, and Equifax failed to take appropriate action in response to protect UK customer data.

“Equifax did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack. The firm was informed about the incident approximately five minutes before it was announced by the American parent company. This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customers,” it said in a statement. “Following the cyber security breach, Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected. Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cyber security incident, meaning complaints were mishandled.”

Therese Chambers, joint executive director of enforcement and market oversight, commented: “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.

“The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.”

Regulated financial firms must have effective cyber security arrangements to protect the personal data they hold. Firms must keep systems and software up to date and fully patched to prevent unauthorised access and remain responsible for data they outsource.

When an FCA-authorised firm becomes aware of a data breach, it is required to promptly notify affected individuals in a way which is fair, clear and not misleading. It must also implement a fair complaints handling procedure.

Share Story: