Kyanite Blue
Incident Analysis

Equifax UK Data Breach: 15 Million UK Records, FCA Investigation, and the $575M Settlement

The 2017 Equifax data breach is one of the largest and most consequential financial data breaches in history. Globally, the personal data of 147 million people was exposed. In the UK, Equifax Ltd — the UK subsidiary — failed to ensure that data it had transferred to its US parent for processing was adequately protected, resulting in the exposure of personal data relating to approximately 15 million UK citizens. The FCA fined Equifax Ltd £11.164 million in 2023. The ICO issued its own enforcement action. The US Federal Trade Commission and Consumer Financial Protection Bureau reached a $575 million settlement with Equifax Inc. The case remains the definitive example of what happens when a financial data custodian fails to manage the security of data processed on its behalf.

Equifax UK fined £11.164M by FCA in 2023 for the 2017 breach — 15M UK records exposed, $575M US settlement with FTC/CFPB. Six-year investigation concluded.

What Happened: The Technical Failure and Its UK Dimension

The Equifax breach was caused by an unpatched Apache Struts vulnerability (CVE-2017-5638) in a consumer dispute portal. The vulnerability had been publicly disclosed and a patch issued in March 2017. Equifax failed to patch it. In May 2017, attackers exploited it to gain access to Equifax's systems. The breach was not detected for 78 days. The UK dimension:

  • Equifax Ltd (UK) had transferred UK consumer data to Equifax Inc (US) for processing — a data transfer arrangement with inadequate security oversight
  • The data transferred included names, dates of birth, email addresses, telephone numbers, and partial credit card details for UK consumers
  • Equifax Ltd was aware that data was being transferred to and processed in the US but failed to ensure adequate protections were in place
  • When the breach occurred, Equifax Ltd failed to notify UK consumers promptly — some UK consumers were not notified until months after US consumers
  • The FCA found that Equifax Ltd outsourced material functions to its US parent without adequate oversight — a direct violation of FCA outsourcing requirements

The FCA's Findings: Outsourcing Oversight Failures

The FCA's Final Notice (October 2023) focused on Equifax Ltd's failure to manage its outsourcing arrangement with Equifax Inc. This framing is significant:

  • Equifax Ltd treated the data transfer as an intra-group arrangement rather than a material outsourcing — and therefore did not apply the oversight standards that FCA SS2/21 and SYSC 13 require
  • The FCA found that Equifax Ltd had not conducted adequate due diligence on Equifax Inc's security controls before transferring UK consumer data
  • There was no ongoing monitoring of Equifax Inc's security posture or compliance with data protection requirements
  • When the breach occurred, Equifax Ltd relied entirely on information from Equifax Inc — it had no independent ability to assess the scope, cause, or remediation of the breach
  • The FCA determined that these failures violated FCA Principle 3 (organising and controlling affairs responsibly) and relevant SYSC provisions

The ICO and GDPR Implications

The ICO issued a Monetary Penalty Notice of £500,000 against Equifax Ltd under the pre-GDPR Data Protection Act 1998 — the maximum fine available at the time. Under GDPR, which came into force in May 2018, the same breach would have been subject to fines of up to 4% of global annual turnover. The ICO found:

  • Equifax Ltd had insufficient oversight of data processed by Equifax Inc on its behalf — a failure of controller obligations under GDPR Article 28
  • The data was not adequately secured against foreseeable attack vectors — the Apache Struts vulnerability was known and patchable
  • Consumer notification was delayed — UK consumers were not informed promptly when the breach was discovered
  • The case reinforced that data controllers cannot outsource GDPR responsibility to processors, even intra-group processors

What Financial Firms Must Learn: Data Outsourcing Is Not a Risk Transfer

The Equifax UK case is essential reading for any financial firm that transfers client data to third parties, group companies, or cloud providers for processing:

  • Intra-group is not exempt: Transferring data to a parent company, subsidiary, or affiliate does not reduce your regulatory obligations — you remain the data controller and FCA-regulated entity
  • Due diligence before transfer: Before transferring client data to any processor, you must assess their security controls, obtain contractual commitments (Data Processing Agreement), and document the assessment
  • Ongoing monitoring: The FCA expects ongoing monitoring of third-party data processors — not just initial due diligence. Panorays provides continuous external monitoring of processors' security posture
  • Incident notification obligations: When a processor is breached, your regulatory notification clock starts from when you become aware — even if the breach was the processor's fault
  • International transfers: Data transferred outside the UK/EEA requires additional legal safeguards (Standard Contractual Clauses or equivalent) — the Equifax breach highlighted the risks of inadequate international data transfer governance

Frequently Asked Questions

Why did the FCA fine Equifax six years after the breach?

Complex financial services enforcement investigations take significant time. The FCA's investigation covered Equifax Ltd's outsourcing arrangements, its oversight of Equifax Inc's security controls, its response to the breach, and its consumer notification procedures. International evidence gathering, coordination with the ICO and US regulators, and the volume of data involved all contribute to extended timelines. The six-year duration also reflected the novelty of cyber-related enforcement — the FCA was establishing its enforcement framework for this type of case as it went.

Is there a credit reference agency equivalent to Equifax that is more secure?

All three major UK credit reference agencies — Equifax, Experian, and TransUnion — hold significant volumes of UK consumer financial data and present similar concentration risks. The question for financial firms is not which agency is safest, but whether your contractual and monitoring arrangements with any credit reference agency you use meet FCA outsourcing standards and your own risk appetite. Panorays can monitor the external security posture of all three agencies continuously.

If our cloud provider suffers a breach affecting our client data, are we liable?

Yes. Under UK GDPR, if you are the data controller (which you are for client data you hold), you remain responsible for the security of that data even when processed by a cloud provider. You must have a Data Processing Agreement in place, conduct due diligence on the provider's security, and notify the ICO within 72 hours if a notifiable breach occurs — even if the breach was the cloud provider's fault. The Equifax case confirms this principle: Equifax Ltd was fined for a breach of data held by its US parent, not by Equifax Ltd itself.

Review your third-party data processing arrangements

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides