The Financial Conduct Authority has fined financial data provider Equifax Ltd £11.164m for cyber-security failures which exposed the records of 13.8 consumers.

The watchdog said Equifax failed to, “manage and monitor” the security of UK consumer data outsourced to its US parent company.

Because of the failures hackers were able to access the personal data of 13.8m people, exposing millions of UK consumers to the risk of financial crime, the FCA said. 

In 2017, Equifax’s parent company Equifax Inc was hit by one of the biggest cyber-security breaches in history.

The UK consumer data accessed by the hackers included names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details and residential addresses.  

The cyberattack and unauthorised access to data was entirely preventable, the FCA said. 

The watchdog said a key issue was that Equifax did not treat its relationship with its parent company as outsourcing. As a result, it failed to provide sufficient oversight of how data it was sending was properly managed and protected.

The FCA said there were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protecting UK customer data.  

Equifax UK did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack. The firm was informed about the incident approximately five minutes before it was announced by the American parent company.

The regulator said this meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customers. 

Following the cybersecurity breach, Equifax also gave an inaccurate impression of the number of consumers affected and also treated consumers unfairly by failing to maintain quality assurance checks for complaints, meaning some complaints were mishandled. 

The FCA said regulated financial firms must have effective cyber security arrangements and must keep systems and software up to date and fully patched to prevent unauthorised access and remain responsible for data they outsource.  

Therese Chambers, joint executive director of enforcement and market oversight, said: “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not. 

Jessica Rusu, FCA chief data, information and intelligence officer, said: “Firms not only have a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. The Consumer Duty makes it clear that firms must raise their standards.” 

Equifax Ltd agreed to resolve the matter and qualified for a 30% discount on its fine. Without the discount, the fine would have been £15,949,200. Equifax Ltd also received a 15% credit for mitigation in acknowledgement of its "high level" of cooperation during the investigation, the voluntary redress it offered to consumers and the global transformation programme it instituted after the incident. 

• The Information Commissioner’s Office imposed a £500,000 fine on Equifax Ltd in 2018.