1 min read

UK Watchdog Fines Equifax $13.4 Million over 2017 Data Breach


October 16, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
UK Watchdog Fines Equifax $13.4 Million over 2017 Data Breach

The UK’s Financial Conduct Authority has fined credit reporting agency Equifax 11 million pounds ($13.4 million) for gravely mishandling a run-in with hackers in 2017.

In 2017, Equifax’s parent company, Equifax Inc, suffered one of the largest data breaches ever recorded, the FCA notes. The attackers made off with the personal data of approximately 13.8 million UK consumers because Equifax outsourced data to Equifax Inc’s servers in the US for processing.

The data accessed by the hackers ranged from names to dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details and residential addresses.

“The cyberattack and unauthorised access to data was entirely preventable,” according to the watchdog. “Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data.”

Equifax’s UK branch was only informed of the incident some five minutes before it was announced by the US parent company, the FCA notes, which meant it was unable to cope with complaints and incurred delays in contacting UK customers.

When faced with inquiries, the credit reporting agency “gave an inaccurate impression of the number of consumers affected [and] treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled,” stresses the FCA.

Equifax had so far only paid a meagre 500,000 pound fine to the UK Information Commissioner’s Office under the 1998 Data Protection Act (DPA), which the EU’s General Data Protection Regulation replaced in 2018. However, since the breach took place before the GDPR went into effect, the ICO’s fine had to be issued under the older legislation.




Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.

View all posts

You might also like