FCA fines Equifax £11m for role in cybersecurity breach

Equifax has been fined £11.2m by the Financial Conduct Authority (FCA) for failing to manage and monitor the security of UK consumer data it had outsourced in 2017 to its parent company in the US, leading to one of the largest cybersecurity breaches in history.

The breach allowed for hackers to access the personal data of approximately 13.8 million people and exposed UK consumers to the risk of financial crime.

The hackers were able to access names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details and residential addresses.

According to the FCA, the cyberattack and unauthorised access to data was “entirely preventable” and Equifax “did not treat its relationship with its parent company as outsourcing”.

The regulator said as a result, Equifax failed to provide sufficient oversight of how data it was sending was properly managed and protected. There were known weaknesses in the firm’s data security systems and it failed to take appropriate action in response to protect customer data.

Equifax did not find out that UK consumer data has been accessed until six weeks after it had discovered the hack. It was informed about the incident around five minutes before it was announced by the American parent company, meaning that it was unable to cope with complaints it received, leading to delays in contacting UK customers.

Following the cybersecurity breach, Equifax made several public statements on the impact of the incident to UK consumers, which also gave an inaccurate impression of the number of customers affected.

The FCA also said that Equifax treated consumers unfairly by failing to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.

The regulator said that regulated financial firms must have effective cyber security arrangements to protect the personal data they hold. Firms must keep systems and software up to date and fully patched to prevent unauthorised access and remain responsible for data they outsource.

When an FCA-authorised firm becomes aware of a data breach, it is essential it promptly notifies affected individuals in a way which is fair, clear and not misleading and implements fair complaints handling procedures.

Joint executive director of enforcement and market oversight, Therese Chambers, said: “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.

“The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.”

Chief data, information and intelligence officer at the FCA, Jessica Rusu, added: “Cybersecurity and data protection are of growing importance to the security and stability of financial services. Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.”

    Share Story:

Recent Stories


FREE E-NEWS SIGN UP

Subscribe to our newsletter to receive breaking news and other industry announcements by email.

  Please tick here to confirm you are happy to receive third party promotions from carefully selected partners.


NEW BUILD IN FOCUS - NEW EPISODE OF THE MORTGAGE INSIDER PODCAST, OUT NOW
Figures from the National House-Building Council saw Q1 2025 register a 36% increase in new homes built across the UK compared with the same period last year, representing a striking development for the first-time buyer market. But with the higher cost of building, ongoing planning challenges and new and changing regulations, how sustainable is this growth? And what does it mean for brokers?

The role of the bridging market and technology usage in the industry
Content editor, Dan McGrath, sat down with chief operating officer at Black & White Bridging, Damien Druce, and head of development finance at Empire Global Finance, Pete Williams, to explore the role of the bridging sector, the role of AI across the industry and how the property market has fared in the Labour Government’s first year in office.


Does the North-South divide still exist in the UK housing market?
What do the most expensive parts of the country reveal about shifting demand? And why is the Manchester housing market now outperforming many southern counterparts?



In this episode of the Barclays Mortgage Insider Podcast, host Phil Spencer is joined by Lucian Cook, Head of Research at Savills, and Ross Jones, founder of Home Financial and Evolve Commercial Finance, to explore how regional trends are redefining the UK housing, mortgage and buy-to-let markets.

The new episode of The Mortgage Insider podcast, out now
Regional housing markets now matter more than ever. While London and the Southeast still tend to dominate the headlines from a house price and affordability perspective, much of the growth in rental yields and buyer demand is coming from other parts of the UK.

In this episode of the Barclays Mortgage Insider Podcast, host Phil Spencer is joined by Lucian Cook, Head of Research at Savills, and Ross Jones, founder of Home Financial and Evolve Commercial Finance.