The Financial Conduct Authority has recently announced it is investigating the circumstances surrounding the loss of UK customers’ data by credit referencing company, Equifax, who hit the news following a major cyber security breach.
In September, Equifax’s servers were hacked, resulting in data belonging to 143 million US citizens being stolen. Data was also stolen relating to some 700,000 UK citizens, falling into four categories:
- 637,000 whose phone numbers were stolen
- 29,000 whose driving licence numbers were stolen
- 5,000 who had some of their Equifax membership details, such as usernames and passwords stolen
- 12,000 whose email addresses were stolen
There is guidance and a helpline for those affected along with free identity theft protection and credit monitoring, but no doubt many people caught up in the breach will fear their data is at risk.
Responding to the FCA probe, the company said: “Equifax Ltd is already working closely with the FCA and other authorities: we welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future. Cybercrime is a real and ever-present risk faced by all companies, so it is important that Government, regulators and businesses work together to combat this growing threat."
Meanwhile, it is good news for consumers that the FCA is on the case – credit reference agencies only came under the FCA's jurisdiction in 2014 and it was just in March this year that Equifax was given full authorisation by the agency.
Equifax has said it wants to win back trust, but is it too late and importantly, what can other firms learn from the experience? Just some pointers include:
- Dealing with a software flaw earlier, it appears, could have prevented the breach. Equifax failed to fix a software problem despite a warning from the US government. As a result of the breach, Delaying will have cost Equifax dearly – it has already had a large expenditure to repair its systems and told investors to expect up to $75 million in further spending
- Equifax discovered the breach on 29th of July but did not report it until the 7th of September. This resulted in bad publicity and widespread criticism. In the UK, the General Data Protection Regulation requires notification within 72 hours – and so such a situation is unlikely to happen here
- There has been much criticism of the way Equifax has handled the breach, from its response in the early stages, when it was accused of trying to charge customers for its credit monitoring and identity theft services, to the way it handled media queries. Some questioned if it had an effective crisis management plan.
US Takes Action
Although it is early days, the FCA probe could have serious consequences, since the regulator has authority to not only issue large fines, but also to stop a company operating in the UK.
But, already looking at what has happened in the US, it is clear that repercussions are already being felt. The company has said it will not be offering its executives bonuses and is suspending share buybacks. Chief Executive, Richard Smith and a number of other executives have been ‘retired’, and it has been reported that more than 240 class actions have been filed, along with probes by regulators including the Securities and Exchange Commission, Federal Trade Commission and Financial Industry Regulatory Authority and attorney generals from some 50 states.
Equifax remains profitable and time will tell how it will weather this severe storm – criticism continues to swirl around the business from many quarters. And while it will not be the last big name to be affected by a data breach, with so many affected, this one will certainly remain in memories for a long time to come.