The Financial Conduct Authority (FCA) fined Equifax’s U.K. unit more than 11 million pounds (U.S. $13.3 million) regarding the company’s 2017 data breach that affected approximately 13.8 million U.K. consumers.
Equifax was originally fined nearly £16 million (U.S. $19.4 million) but qualified for a 30 percent discount under executive settlement procedures, the FCA announced in a press release Friday. The U.K. regulator also noted Equifax received a 15 percent credit for its cooperation and remedial efforts.
Equifax failed to manage and secure U.K. consumer data outsourced to its parent company in the United States, the FCA alleged.
The details: In 2017, Equifax suffered one of the largest data breaches in history that impacted approximately 147 million consumers globally. In 2019, the company agreed to pay at least $575 million as part of settlements with U.S. federal and state authorities.
In the United Kingdom, data ranging from names, dates of birth, phone numbers, Equifax membership login details, partial credit card numbers, and residential addresses were exposed by the hack.
Disclosure of the U.K. breach, however, differed significantly from the U.S. breach. Equifax’s U.S. parent company waited six weeks to inform the U.K. unit of the breach and five minutes before it was announced publicly, the FCA said.
Public statements by Equifax on the impact of the incident to U.K. consumers gave an inaccurate impression of the number of individuals affected, the FCA alleged.
Fallout from the disclosure lag “contributed to the delays in contacting U.K. consumers and [Equifax U.K.’s] inability to cope with the complaints it received when the incident was announced,” the final notice stated.
The company retained a compliance consultancy to clear backlogged complaints but failed to deliver fair outcomes and quality assurance, with some complaints taking up to eight weeks to resolve, per the notice.
A 2018 compliance report found significant weaknesses and instances of material noncompliance in the complaints operating framework, the FCA said.
Compliance considerations: The 15 percent credit Equifax received acknowledged voluntary redress the U.K. unit offered to consumers and a global transformation program it instituted after the incident, the FCA said.
In September 2018, the U.K. Information Commissioner’s Office fined Equifax’s U.K. unit £500,000 (then-U.S. $660,000) in a related case.
Company response: In an emailed statement, Patricio Remon, president for Europe at Equifax, said the company has invested more than $1.5 billion in security and technology improvements since the breach.
“We have built one of the world’s most advanced and effective cybersecurity programs,” Remon said. “Our maturity level has exceeded all major industry benchmarks, and our posture—the ability to protect our networks, information, and systems from threats—has ranked in the top 1 percent of technology companies and top 3 percent of financial services companies analyzed for three consecutive years.”