Equifax has been fined more than £11million by the City watchdog after the credit reference agency suffered one of the largest cybersecurity breaches in history.
The Financial Conduct Authority said on Friday that Equifax had failed to manage and monitor the security of UK consumer data it had outsourced to its US parent company.
It thereby handed cyber criminals access to 13.8 million Britons’ names, dates of birth, addresses, phone numbers, login details, and some credit card information.
FCA: ‘Cyber security and data protection are of growing importance to the security and stability of financial services’
The fine highlights concerns about the security of highly sensitive financial information carried by credit ratings agencies like Equifax and its two major rivals, Experian and TransUnion.
The FCA has previously urged credit reference agencies to improve the quality of their data, amid concerns that millions of people could be excluded from accessing finance due to inaccurate information. It is also investigating whether there is a lack of competition in the UK credit rating market.
The FCA’s chief data, information and intelligence officer Jessica Rusu said: ‘Cyber security and data protection are of growing importance to the security and stability of financial services.
‘Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information.’
Equifax, which made UK and Ireland profits in excess of £130million last year, ‘did not treat its relationship with its parent company as outsourcing’, the FCA said, leaving it exposed to the ‘entirely preventable’ 2017 hack.
The FCA said: ‘As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.
‘There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.’
Equifax then did not find out that UK consumer data had been accessed until six weeks after its parent company had discovered the hack, the regulator added.
The FCA said Equifax, which saw a 30 per cent reduction in the value of its fine as a result of cooperation, was also unable to cope with and mishandled customer complaints, and then gave an ‘inaccurate impression of the number of consumers affected’ in public statements thereafter.
American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion
Therese Chambers, joint executive director of enforcement and market oversight at the FCA, said: ‘Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach.
‘The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.’
Vital role: Credit reference agencies like Equifax can decide whether someone is approved for a mortgage, loan or even mobile phone contract (stock image)
Patricio Remon, president for Europe at Equifax, said in a statement on Friday: ‘Equifax has cooperated with the FCA fully throughout this long running investigation and has been recognised by the FCA for that cooperation, our transformation programme and the voluntary consumer redress exercise we implemented after the incident.
‘Since the cyberattack against our company six years ago, we have invested over $1.5 billion in a security and technology transformation. Few companies have invested more time and resources than Equifax to ensure that consumers’ information is protected.
‘We have built one of the world’s most advanced and effective cybersecurity programs. Our maturity level has exceeded all major industry benchmarks, and our posture – the ability to protect our networks, information, and systems from threats – has ranked in the top 1 per cent of technology companies and top 3 per cent of financial services companies analysed, for three consecutive years.’
It is estimated that over seven million people in the UK risk being excluded from accessing affordable financial services because of flaws in credit scoring, which forces them instead to turn to more expensive options such as sub-prime lenders, according to a report by software firm Lexis- Nexis Risk Solutions.
Another survey by Experian found that five million people struggle to access financial products and public services, because there isn’t enough information on their credit record.
