On 13th of October 2023, the Financial Conduct Authority ("FCA") imposed a financial penalty on Equifax Ltd ("Equifax UK") of £11 million for the role Equifax UK played in one of the largest cyber security breaches in history, according to the FCA. In 2017, Equifax UK failed to monitor the security of UK consumers' personal data which was outsourced to Equifax UK's parent company located in the United States.

Background

Equifax UK is an FCA-regulated credit reference agency and data, analytics and technology business holding personal data that requires protection.

The FCA stated that in 2017, Equifax UK's parent company, Equifax Inc. was subject to one of the biggest cyber security breaches in history where cyber-hackers were able to access personal data of as many as 147.9 million US consumers and 13.8 million UK consumers. This was due to the personal data being stored on US servers. Outsourced personal data included names, dates of birth, Equifax membership log in details, addresses and credit card details.

Breach found by the FCA

The FCA considers that the breach exposed UK consumers to the risk of financial crime, which was entirely preventable. Equifax UK failed to implement appropriate measures for monitoring and managing the security of UK consumer data that was outsourced to the US parent company.

According to the financial watchdog, Equifax UK did not find out that UK consumer data had been accessed until six weeks after the US parent company had discovered the hack. This further led to delays in notifying UK customers about the breach and Equifax UK being unable to properly assess and respond to all the complaints received when the incident was announced.

Further, Equifax UK made several public statements on the impact of the incident on UK consumers, which gave an inaccurate impression of the number of consumers affected. Firms which are regulated by the FCA must have effective cyber security arrangements to protect the personal data they hold. Systems and software must be up to date and fully prepared to prevent unauthorised access and firms must remain responsible for all data they outsource.

The FCA further stated that when an authorised firm becomes aware of a data breach, it is essential it promptly notifies affected individuals in a way which is fair, clear and not misleading and implements fair complaints handling procedures.

Failure to keep the data safe compounded with the mishandling of the data breach responses was found to be a failing of FCA Principles 3 (risk management systems), 6 (regard to customer interests) and 7 (communication with clients) of the Principles for Businesses and is what led to the FCA imposing the fine.

ICO fine in 2018

Equifax UK was also fined by the Information Commissioner's Office ("ICO") for the same failures in 2017 under the Data Protection Act 2018. Equifax UK faced the maximum penalty available to the ICO under the 2018 Act of £500,000 although escaped the much heftier fine available under the GDPR (which provides the ICO with the power of imposing a fine of up to €20 million or 4% of the offender's annual global turnover, whichever is higher) since it only came into force on 25 May 2018.

Conclusion

The FCA fine follows an investigation it began in 2017 and acts as a reminder that incidents involving personal data are also subject to controls by sector-specific regimes, especially financial services.

Organisations operating in regulated sectors such as those regulated by the FCA and the Prudential Regulation Authority ("PRA") should take heed of their obligations for cyber-resilience.

Furthermore, organisations that have intra-group arrangements for their personal data processing should ensure to have applicable security measures in place and an appropriate communication strategy in the event of a breach.

Equifax UK was not informed of the breach by Equifax, Inc. until a few minutes before the incident was publicly announced and was thus not prepared to handle the influx of customer complaints. Regulators will also look at how the matter is handled post-breach when providing its decision.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.