The Atlanta-based credit monitoring company Equifax Inc. has admitted that names, birthdates, addresses, driver's licence numbers, and the detailed financial history of individuals were stolen in a cyberattack on the company that lasted from mid-May to July of this year.
Now CBC reports, "Canadians who have accounts with [Toronto-based] Equifax Canada are expressing frustration after the firm's U.S. parent unveiled a cybersecurity breach that exposed the information of millions of people. ...[The company says] that the information of an undisclosed number of people in Canada and the United Kingdom was compromised. ...On social media, many Canadian users expressed frustration with Equifax Canada, calling on the company to let them know how they can check if their personal information has been part of the security breach."
When a credit card number is compromised that card can be cancelled, but this breach of this information is much more serious in terms of privacy and identity theft. Credit score expert Chantal Chapman told Global News that, "There are 26 million people who have credit scores in Canada. With the information that was taken, a person could fill out a mortgage application or buy a cellphone. It’s pretty scary.”
The CBC notes, "Canada's privacy commissioner wants Equifax to provide a full report on the breach, including details on how Canadians were affected." The Canadian Press adds, "The agency reached out to the company Friday after it received complaints about the hack of sensitive personal [but] the company is refusing to say how many Canadians were affected or what data had been stolen in those cases."
The privacy commissioner's action appear to be much weaker than some actions being taken in the United States. Reuters reports, "At least five state attorneys general, including New York and Illinois, said they were formally investigating the breach." To date, the company has only commented, “Equifax will work with U.K. and Canadian regulators to determine appropriate next steps."
No explanation has been given why Equifax waited six weeks after the breach was uncovered to alert their customers to what had happened (although it could have been to give police time to investigate the data theft).
Neither has any explanation been given as to why Equifax set up a support website under a different domain name than the company's main website (Reuters notes this mirrors a tactic that can be used to fraudulently collect data).
Furthermore, the Canadian Press reports, "The Atlanta-based parent company has set up a dedicated website and call centre to help consumers determine if their information may have been affected. The website is www.equifaxsecurity2017.com and the call centre is at 877-323-2598. However, it may be prudent to wait before checking the status of your information. Social media users have flagged language on Equifax's website that appears to suggest that people who sign up for its TrustedID Premier security service waive their rights to participate in a class-action lawsuit."
And Global News notes, "Three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered it had been hacked, according to documents filed with securities regulators. In a subsequent statement, Equifax said the three executives 'had no knowledge that an intrusion had occurred at the time they sold their shares'."
The Council of Canadians is calling on the federal government to intervene to ensure the privacy and rights of Canadians are respected in relation to the actions of this US-based corporation - and to ensure that the strictest regulations are in place to address the concerns now being raised with respect to Equifax.