UK fines Equifax $13.6 million for 2017 data breach

The UK arm of credit reporting firm Equifax was fined £11,164,400 (about $13.6 million) on Friday by a British regulator for allowing hackers to access personal information of millions of people in 2017.

About 13.8 million UK consumers were affected in the incident, according to the Financial Conduct Authority, and it remains one of the largest data breaches of all time. About 148 million people in the U.S. had their data exposed in the attack.

The watchdog found that Equifax Ltd, the firm’s U.K. business, exposed data because it outsourced processing to servers run by its U.S. parent, Equifax Inc. The affected information included “names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses,” the FCA said.

Equifax Ltd did not find out that U.K. consumer data had been accessed “until 6 weeks after Equifax Inc had discovered the hack,” the FCA said. The U.K. arm wasn’t informed about the incident until “approximately five minutes before it was announced by the American parent company. This meant Equifax was unable to cope with complaints it received when the incident was announced and led to delays in contacting UK customers,” the watchdog said.

Company officials told reporters that they had fully cooperated with the FCA’s investigation and invested $1.5 billion in cybersecurity improvements since the attack.

Equifax Inc. agreed in 2019 to pay at least $575 million to settle allegations about the incident brought by U.S. state and federal regulators. The U.S. government has accused four Chinese government hackers of carrying out the attack.

In 2018, Britain’s Information Commissioner’s Office separately fined Equifax Ltd £500,000 (then about $668,000) for violating data protection rules due to the 2017 incident.