Equifax hack being probed by UK’s financial watchdog

The fallout from the massive Equifax hack, publicly disclosed last month, continues: Today the UK’s financial watchdog said it also wants to get to the bottom of what happened.

In a brief statement on its website today, the UK’s Financial Conduct Authority said: “The FCA announces today that it is investigating the circumstances surrounding a cybersecurity incident that led to the loss of UK customer data held by Equifax Ltd on the servers of its US parent.”

While US consumers were the primary victims of the massive data breach, at the time of the public disclosure Equifax also said some UK consumers were affected.

The company has since said it believes hackers accessed info on nearly 700,000 UK consumers, although it has also said a total of 15.2 million records on British citizens could have been involved in the breach.

Reuters reports that the FCA statement follows a letter sent to it from the chair of the UK’s House of Commons’ Treasury Committee asking if Equifax violated terms of its license to operate in the UK, and querying whether the regulator has the power to compel it to provide compensation to UK consumers impacted by the breach.

UK data accessed by unknown hackers is said to include credit accounts, user credentials, partial credit card details and driver license numbers in the case of ~700,000 individuals.

A further 14.5M records which contained names and birth dates of UK consumers were also “potentially compromised”.

In total, Equifax has said the personal data of up to 143M consumers could have been compromised after hackers breached its systems earlier this year.

Earlier this month, Equifax’s recently departed CEO claimed the breach boiled down to a single employee not applying a patch for a vulnerability in Apache Struts — which was the attack vector used to breach its systems between May and July.

The vulnerability in Apache Struts had been identified and disclosed by U.S. CERT in early March.

In the US, a consumer class action lawsuit was quickly filed against the company last month — seeking billions in damages.

In a statement about the FCA’s action, an Equifax spokesman told us: “Equifax Ltd is already working closely with the FCA and other authorities: we welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future. Cybercrime is a real and ever-present risk faced by all companies, so it is important that government, regulators and businesses work together to combat this growing threat. We see today’s announcement as a continuation of that process.”