U.K. regulator probes Equifax after cyber theft of personal data

Register now

(Bloomberg) -- Equifax Inc.’s regulator problem is getting worse.

The credit reference provider, already reeling from American probes into the loss of data on 145.5 million customers in a computer hack, will face an investigation in the U.K., where 694,000 consumers had information stolen.

The U.K. Financial Conduct Authority said Tuesday that it will look into the hack, one of the biggest cyberattacks in history. The regulator has the power to fine the firm or even withdraw its authorization, which would prevent it from running credit checks in Britain.

Equifax shares have lost a quarter of their value since the company revealed in September that hackers accessed the sensitive personal information by exploiting a previously identified software vulnerability between May and July. The data breach is already the subject of state and federal investigations in the U.S.

“Hundreds of thousands of people in the U.K. have been affected by the Equifax data breach,” British lawmaker Nicky Morgan, chair of the House of Commons Treasury Committee, said in an email. “The FCA is right to investigate the circumstances surrounding it.”

Equifax said this month that hackers accessed details such as user names, passwords, secret answers and partial credit card details for 14,961 U.K. consumers. They accessed 637,430 British consumers’ phone numbers; 29,188 driving license numbers and 12,086 email addresses, the company said.


Computer-security specialists offered a patch in March for the loophole that the hackers used, and Equifax discovered the breach July 29.

The company said it will offer identity monitoring and protection services for these consumers depending on what information was stolen. Equifax had previously said fewer than 400,000 consumers in the U.K. were affected.

Morgan wrote to Andrew Bailey, the regulator’s chief executive officer, this month to ask whether it was investigating the company, asking for a response by Tuesday.

Morgan also wrote to Equifax’s Europe president Patricio Remon to say she was “surprised” by the scale of the breach and the amount of time the company had taken to notify the people affected, and would consider calling him to give evidence to the committee in public. A spokesman for the Treasury Committee didn’t immediately comment.

The U.K. privacy regulator, the Information Commissioner’s Office, is also investigating the firm.

“It is a complex and fast-moving case and we are working closely with other U.K. regulators and our counterparts in Canada and the U.S.,” a commission spokesman said by email Tuesday.

Other Probes

The U.S. Federal Trade Commission, the House of Representatives’ Oversight Committee, several state attorneys and the Consumer Financial Protection Bureau are looking into the hack, as is New York’s banking regulator, the Department of Financial Services.

Former CEO Richard Smith was among the handful of executives who left the company in the wake of the hack. Smith testified before U.S. Congress in October. An Equifax spokesman said by email Tuesday that it was already working with the FCA and other regulators.

“Cybercrime is a real and ever-present risk faced by all companies, so it is important that government, regulators and businesses work together to combat this growing threat,” the spokesman said. “We see today’s announcement as a continuation of that process.”

--With assistance from Hannah Levitt

Bloomberg News