Pri­vacy watch­dog to in­ves­ti­gate Equifax

Lethbridge Herald - - HEADLINE | NEWS CANADA & BEYOND - Alek­san­dra Sa­gan and Ar­mina Li­gaya

Canada’s pri­vacy watch­dog launched an in­ves­ti­ga­tion into the mas­sive Equifax Inc. data breach af­ter hear­ing from dozens of con­cerned Cana­di­ans as cus­tomers in the coun­try have yet to be told whether hack­ers stole their per­sonal in­for­ma­tion.

“The in­ves­ti­ga­tion is a pri­or­ity for our of­fice given the sen­si­tiv­ity of the per­sonal in­for­ma­tion that Equifax holds,” the Of­fice of the Pri­vacy Com­mis­sioner of Canada said in an an­nounce­ment on its web­site.

Equifax, a credit-mon­i­tor­ing com­pany used by many cred­i­tors to check con­sumers’ credit his­to­ries, said on Sept. 7 that it fell vic­tim to a mas­sive cy­ber­at­tack that may have com­pro­mised the per­sonal data of up to 143 mil­lion Amer­i­cans from May 13 to July 30.

The United States Com­puter Emer­gency Readi­ness Team de­tected and dis­closed the vul­ner­a­bil­ity in Apache Struts in March, Equifax said in a state­ment, adding Equifax “took ef­forts to iden­tify and to patch any vul­ner­a­ble sys­tems in the com­pany’s IT in­fra­struc­ture.”

When it an­nounced the se­cu­rity is­sue, Equifax ac­knowl­edged the per­sonal in­for­ma­tion of a lim­ited num­ber of Cana­dian and U.K. res­i­dents may have been breached as well.

More than a week later, on Fri­day, Equifax re­leased the Bri­tish fig­ure, say­ing fewer than 400,000 Bri­tish con­sumers had some of their per­sonal in­for­ma­tion com­pro­mised, but it was more lim­ited in scope and un­likely to lead to iden­tity theft.

The com­pany has re­mained mum on how many Cana­di­ans were af­fected, and has not re­sponded to mul­ti­ple re­quests for com­ment.

The credit mon­i­tor­ing com­pany’s call cen­tre staff have told call­ers that only Cana­di­ans that have credit files in the U.S. were likely to be im­pacted. How­ever, the pri­vacy com­mis­sioner said that at this point, it is not clear that the af­fected data was lim­ited to Cana­di­ans with U.S. deal­ings.

The slow pace of in­for­ma­tion could be good or bad news for con­sumers in the Great White North.

It’s likely Cana­di­ans are the last to find out be­cause the fewest num­ber of them have been im­pacted, said Hasan Cavu­soglu, an as­so­ciate pro­fes­sor at the Univer­sity of Bri­tish Columbia’s Sauder School of Busi­ness.

It’s less likely, but also pos­si­ble, that the rea­son is more tech­ni­cal, he said, and Equifax has been un­able to pin­point the seg­ment of Cana­dian con­sumers at risk.

Some con­sumers have ex­pressed con­cern about pace of com­mu­ni­ca­tion and lack of in­for­ma­tion about the breach, one of the largest on­line data breaches in his­tory.

“The com­pany was a vic­tim of fraud and didn’t alert its con­sumers,” said Bethany Agnew Amer­i­cano, the lead plain­tiff in a pro­posed class ac­tion filed in On­tario on Sept. 12.

It’s one of at least two class ac­tions filed on be­half of Cana­di­ans whose in­for­ma­tion was stored on Equifax data­bases, al­leg­ing the com­pany breached its con­tract with class mem­bers as well as their pri­vacy rights, was neg­li­gent in han­dling their in­for­ma­tion, and breached pro­vin­cial pri­vacy statutes.

The credit mon­i­tor­ing com­pany makes money from of­fer­ing iden­tity theft pro­tec­tion and fraud alert ser­vices, and it needs to be held ac­count­able, Agnew-Amer­i­cano said.

The Cana­dian Au­to­mo­bile As­so­ci­a­tion, which part­nered with Equifax on its iden­tity pro­tec­tion pro­gram, said it is writ­ing tot he pri­vacy com­mis­sioner re­quest­ing the of­fice push the com­pany to pro­vide more in­for­ma­tion to Cana­di­ans.

The CAA is no­ti­fy­ing the roughly 10,000 mem­bers who par­tic­i­pated in the pro­gram that they may have had sen­si­tive data di­vulged.

The pri­vacy com­mis­sioner’s of­fice tried to soothe some of the brew­ing frus­tra­tions by as­sur­ing con­sumers that Equifax will no­tify all im­pacted Cana­di­ans in writ­ing as soon as pos­si­ble.

How­ever, it warned Equifax would not be call­ing in­di­vid­ual con­sumers and ad­vised Cana­di­ans to hang up if any­one calls them claim­ing to be af­fil­i­ated with Equifax — re­gard­less of what the caller ID says — as it could be a scam.

Equifax will also of­fer free credit mon­i­tor­ing to Cana­di­ans that are af­fected, the of­fice said.

While Cana­di­ans wait to hear more about the state of their per­sonal data, the com­pany’s rep­u­ta­tion is tak­ing a big hit as it’s al­ready known the breach im­pacted mil­lions, said Cavu­soglu.

On Fri­day, Equifax an­nounced per­son­nel changes in wake of the in­ci­dent, say­ing its chief in­for­ma­tion of­fi­cer and chief se­cu­rity of­fi­cer are re­tir­ing. The com­pany ap­pointed two in­ter­nal em­ploy­ees to the va­can­cies on an in­terim ba­sis.

The com­pany said in the state­ment that its in­ter­nal in­ves­ti­ga­tion is on­go­ing, and it is con­tin­u­ing to work with the FBI, as well as Cana­dian and U.K. reg­u­la­tors.

“Who will trust Equifax af­ter this, this scale of an event,” Cavu­soglu said. “Busi­ness will be sub­stan­tially ef­fected as a re­sult.”

Cana­dian Press photo

This July 21, 2012, file photo shows Equifax Inc., of­fices in At­lanta. Canada’s pri­vacy watch­dog launched an in­ves­ti­ga­tion into the mas­sive Equifax Inc. data breach af­ter hear­ing from dozens of con­cerned Cana­di­ans as cus­tomers in the coun­try have yet to be told whether hack­ers stole their per­sonal in­for­ma­tion.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.