The credit reference firm suffered a major cyber-security breach between May and July 2017.
But it only disclosed this in September and vastly underplayed the number of customers impacted – 400,000 when in fact 13.8 million were at risk of financial crime after having their personal details exposed.
This ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
The Financial Conduct Authority (FCA) said the fine reflects its failure to manage and monitor the security of UK consumer data which it outsourced to its parent company – Equifax Inc – based in the US.
The City watchdog said the cyberattack and unauthorised access to data was “entirely preventable” and it “did not treat its relationship with its parent company as outsourcing”.
As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data, the regulator added.
Unable to cope with complaints and treated customers ‘unfairly’
Further, the FCA criticised the delays in handling the incident as it only found out that data had been accessed six weeks after the hack was discovered. And, the UK arm was only informed by the US firm five minutes before it was announced by the American parent company.
This meant Equifax was unable to cope with complaints it received when the incident was announced, and led to delays in contacting UK customers.
As part of its public statements, Equifax also “gave an inaccurate impression of the number of consumers affected”.
Further, the FCA said Equifax treated account holders “unfairly” by failing to maintain quality assurance checks for complaints meaning they were “mishandled”.
The FCA said that when a firm becomes aware of a data breach, it is essential it promptly notifies affected individuals in a fair, clear and not misleading manner, and implements a fair complaints handling procedure. They should also maintain effective cyber-security systems and software, and be responsible for data that is outsourced.
‘Duty to keep data safe’
The FCA launched its investigation into Equifax in October 2017.
Therese Chambers, joint executive director of enforcement and market oversight, said: “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.
“The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.”
Jessica Rusu, FCA chief data, information and intelligence officer, said: “Cyber security and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.”
What does Equifax say?
Equifax would have paid £15.9m but qualified for a 30 per cent discount for “agreeing to resolve this matter”. It also received a 15 per cent credit due to its “high level of cooperation during the investigation”.
The Information Commissioner’s Office also investigated the data breach and imposed a £500,000 fine on Equifax Ltd in 2018.
Patricio Remon, president for Europe at Equifax, said: “Equifax has cooperated with the FCA fully throughout this long running investigation and has been recognised by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident. Since the cyberattack against our company six years ago, we have invested over $1.5bn in a security and technology transformation. Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.
“We have built one of the world’s most advanced and effective cybersecurity programs. Our maturity level has exceeded all major industry benchmarks, and our posture – the ability to protect our networks, information, and systems from threats – has ranked in the top one per cent of technology companies and top three per cent of financial services companies analysed, for three consecutive years.”