UK financial service regulators have launched an investigation into Equifax over its handling of the recent mega-breach.
In a brief statement on Tuesday, the Financial Conduct Authority (FCA), which could fine the firm or revoke its right to operate in the UK, said it was "investigating the circumstances surrounding a cybersecurity incident that led to the loss of UK customer data held by Equifax Ltd on the servers of its US parent".
In response, Equifax said it welcomed the investigation.
Equifax Ltd is already working closely with the FCA and other authorities: we welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future. Cybercrime is a real and ever-present risk faced by all companies, so it is important that Government, regulators and businesses work together to combat this growing threat. We see today's announcement as a continuation of that process.
The FCA probe piles further pressure on Equifax, which already faces pointed questions from an influential Westminster MP. Nicky Morgan, chair of the Treasury Committee, wrote to Equifax Limited's UK boss earlier this month asking for further details about the scale of the breach, and what compensation it intended to provide. Morgan also wrote to the FCA asking for an assessment of Equifax's response to the breach in a letter that also raised the issue of whether the regulator is considering further action. Equifax's UK business is authorised by the FCA.
Asked for an update on this front, an Equifax spokesman said that that the firm recently responded to Morgan's letter.
On September 15, Equifax said a cybersecurity incident that affected 145 million US consumers also affected 400,000 Brits. A month later on October 10 the credit reference agency admitted that it had underestimated the impact the US-centred breach had on UK customers.
Equifax admitted that a file containing 15.2 million UK records dated between 2011 and 2016 had been exposed as a result of the snafu. Most of these were duplicates or test data so the private details of almost 700,000 had actually been exposed. Equifax said it would be contacting affected UK consumers by post.
The breach, which stemmed from an missed Apache Struts patch, was open from May 2017 until it was discovered in July. Equifax had weeks before going public in September but mishandled the breach notification process at almost every turn.
Lowlights have included Equifax's breach handling website – equifaxsecurity2017.com – a botched WordPress install that several security scanners initially feared was a phishing site. In signing up for free post-breach credit monitoring services, US consumers were initially obliged to agree to terms and services that implied they'd forfeit the right to sue Equifax. This implied condition was dropped after objections.
During a hearing before Congress former Equifax chief exec Rick Smith, who retired days before, attempted to blame the breach on a single technician. In the UK, Equifax has been heavily criticised for taking too long to notify affected consumers while they were at heightened risk of identity theft and fraud.
Equifax was criticised not least because it sells identity protection services. Consumers have little to no choice about doing business with Equifax, whose services are used by businesses to check individuals' creditworthiness. ®