The UK’s Financial Conduct Authority has fined Equifax a smidge over £11 million for severe failings that put millions of consumers at risk of financial crime.
The two companies involved here are Equifax Ltd and Equifax Inc. There are key differences between the two that are important in fully understanding the case.
Equifax Inc is the parent company of Equifax Ltd. It too is a global CRA and was the company that stored and processed UK consumer data on behalf of Equifax Ltd under their agreement.
Despite being part of the same group, the Data Processing Agreement constituted an outsourcing of data, meaning Equifax Ltd was still liable for the issues in the eyes of regulators even though it was Equifax Inc’s system blunders that led to the incident.
Equifax Inc only became aware of the breach on July 30, 2017, and by August 11, 2017, it knew customer data may have been accessed.
Equifax Ltd became certain that UK data was compromised on August 29, 2017, and due to the nature of the Data Processing Agreement between Equifax Ltd and Equifax Inc, the former should have notified UK regulators at least by this point, but ideally on the 11th. Equifax Inc was told by lawyers on September 5, 2017, that Equifax Ltd needed to tell the ICO. It took two further days to communicate this to Equifax Ltd. The FCA only learned about the breach in a press report published on September 8, 2017, following Equifax’s public disclosure in the late hours of September 7.