Financial watchdog fines Equifax Ltd 11 million for role in one of the largest cyber security breaches in history FCA
pGet in touch by phone via our online form or by postpp ppFinancial Conduct Authority
12 Endeavour Square
London E20 1JNpp ppGo to our dedicated section to see support for firms and our latest policy updatespp ppConsumer Duty ppWere hosting events to help firms prepare for the new rules Sign up to hear about these and related communicationsppSee our dedicated section to help you stay uptodate with financial services in the UKpp ppFCA Warning List ppFind our most uptodate warnings of firms and individuals running scams or operating without authorisationppReceive new and updated warnings in a daily emailpp ppThe FCA has fined Equifax Ltd Equifax 11164400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime ppIn 2017 Equifaxs parent company Equifax Inc was subject to one of the largest cybersecurity breaches in history Cyberhackers were able to access the personal data of approximately 138 million UK consumers because Equifax outsourced data to Equifax Incs servers in the US for processingppThe UK consumer data accessed by the hackers ranged from names dates of birth phone numbers Equifax membership login details partially exposed credit card details and residential addressesppThe cyberattack and unauthorised access to data was entirely preventable Equifax did not treat its relationship with its parent company as outsourcing As a result it failed to provide sufficient oversight of how data it was sending was properly managed and protected There were known weaknesses in Equifax Incs data security systems and Equifax failed to take appropriate action in response to protect UK customer datappEquifax did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack The firm was informed about the incident approximately five minutes before it was announced by the American parent company This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customersppFollowing the cybersecurity breach Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident meaning complaints were mishandledppRegulated financial firms must have effective cyber security arrangements to protect the personal data they hold Firms must keep systems and software up to date and fully patched to prevent unauthorised access and remain responsible for data they outsourceppWhen an FCAauthorised firm becomes aware of a data breach it is essential it promptly notifies affected individuals in a way which is fair clear and not misleading and implements fair complaints handling proceduresppTherese Chambers Joint Executive Director of Enforcement and Market Oversight said Financial firms hold data on customers that is highly attractive to criminals They have a duty to keep it safe and Equifax failed to do so They compounded this failure by the ways they mishandled their response to the data breach Regulated firms are on the hook regardless of whether they outsource or notppThe risk of identity theft never stops Cyber criminals are sophisticated and innovative it is imperative that firms maintain the highest standards in data protectionppJessica Rusu FCA Chief Data Information and Intelligence Officer said Cyber security and data protection are of growing importance to the security and stability of financial services Firms not only have a technical responsibility to ensure resiliency but also an ethical responsibility in the processing of consumer information The Consumer Duty makes it clear that firms must raise their standardsppFinal NoticeppGiven the public interest in this matter the FCA confirmed its investigation into Equifax Ltd in 2017ppEquifax Ltd agreed to resolve this matter and qualified for a 30 Stage 1 discount under the Authoritys executive settlement procedures Were it not for this discount the Authority would have imposed a financial penalty of 15949200 before 30 discount on Equifax LtdppEquifax Ltd also received a 15 credit for mitigation in acknowledgement of its high level of cooperation during the investigation the voluntary redress it offered to consumers and the global transformation programme it instituted after the incidentppThe Information Commissioners Office investigated the data breach and imposed a 500000 fine on Equifax Ltd in 2018ppThe data outsourced was for the Equifax Identity Verifier and Global Consumer Solutions The Equifax Identity Verifier product is one of the B2B services Equifax Ltd provides to business customers which helps businesses to verify and authenticate their customers identities Global Consumer Solutions is a product that gives retail consumers access to their credit reports and it also provides a web monitoring service ppFCA Head Officepp12 Endeavour SquareppLondon E20 1JNppContact usppCopyright 2023 FCA All rights reservedppBack to topppCompany no 01920623p
12 Endeavour Square
London E20 1JNpp ppGo to our dedicated section to see support for firms and our latest policy updatespp ppConsumer Duty ppWere hosting events to help firms prepare for the new rules Sign up to hear about these and related communicationsppSee our dedicated section to help you stay uptodate with financial services in the UKpp ppFCA Warning List ppFind our most uptodate warnings of firms and individuals running scams or operating without authorisationppReceive new and updated warnings in a daily emailpp ppThe FCA has fined Equifax Ltd Equifax 11164400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime ppIn 2017 Equifaxs parent company Equifax Inc was subject to one of the largest cybersecurity breaches in history Cyberhackers were able to access the personal data of approximately 138 million UK consumers because Equifax outsourced data to Equifax Incs servers in the US for processingppThe UK consumer data accessed by the hackers ranged from names dates of birth phone numbers Equifax membership login details partially exposed credit card details and residential addressesppThe cyberattack and unauthorised access to data was entirely preventable Equifax did not treat its relationship with its parent company as outsourcing As a result it failed to provide sufficient oversight of how data it was sending was properly managed and protected There were known weaknesses in Equifax Incs data security systems and Equifax failed to take appropriate action in response to protect UK customer datappEquifax did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack The firm was informed about the incident approximately five minutes before it was announced by the American parent company This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customersppFollowing the cybersecurity breach Equifax made several public statements on the impact of the incident to UK consumers which gave an inaccurate impression of the number of consumers affected Equifax also treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident meaning complaints were mishandledppRegulated financial firms must have effective cyber security arrangements to protect the personal data they hold Firms must keep systems and software up to date and fully patched to prevent unauthorised access and remain responsible for data they outsourceppWhen an FCAauthorised firm becomes aware of a data breach it is essential it promptly notifies affected individuals in a way which is fair clear and not misleading and implements fair complaints handling proceduresppTherese Chambers Joint Executive Director of Enforcement and Market Oversight said Financial firms hold data on customers that is highly attractive to criminals They have a duty to keep it safe and Equifax failed to do so They compounded this failure by the ways they mishandled their response to the data breach Regulated firms are on the hook regardless of whether they outsource or notppThe risk of identity theft never stops Cyber criminals are sophisticated and innovative it is imperative that firms maintain the highest standards in data protectionppJessica Rusu FCA Chief Data Information and Intelligence Officer said Cyber security and data protection are of growing importance to the security and stability of financial services Firms not only have a technical responsibility to ensure resiliency but also an ethical responsibility in the processing of consumer information The Consumer Duty makes it clear that firms must raise their standardsppFinal NoticeppGiven the public interest in this matter the FCA confirmed its investigation into Equifax Ltd in 2017ppEquifax Ltd agreed to resolve this matter and qualified for a 30 Stage 1 discount under the Authoritys executive settlement procedures Were it not for this discount the Authority would have imposed a financial penalty of 15949200 before 30 discount on Equifax LtdppEquifax Ltd also received a 15 credit for mitigation in acknowledgement of its high level of cooperation during the investigation the voluntary redress it offered to consumers and the global transformation programme it instituted after the incidentppThe Information Commissioners Office investigated the data breach and imposed a 500000 fine on Equifax Ltd in 2018ppThe data outsourced was for the Equifax Identity Verifier and Global Consumer Solutions The Equifax Identity Verifier product is one of the B2B services Equifax Ltd provides to business customers which helps businesses to verify and authenticate their customers identities Global Consumer Solutions is a product that gives retail consumers access to their credit reports and it also provides a web monitoring service ppFCA Head Officepp12 Endeavour SquareppLondon E20 1JNppContact usppCopyright 2023 FCA All rights reservedppBack to topppCompany no 01920623p