Canada’s privacy watchdog investigating Equifax breach
Canada’s privacy watchdog launched an investigation into the massive Equifax Inc. data breach after hearing from dozens of concerned Canadians as customers in the country have yet to be told whether hackers stole their personal information.
“The investigation is a priority for our office given the sensitivity of the personal information that Equifax holds,” the Office of the Privacy Commissioner of Canada said in an announcement on its website.
Equifax, a credit-monitoring company used by many creditors to check consumers’ credit histories, said on Sept. 7 that it fell victim to a massive cyberattack that may have compromised the personal data of up to 143 million Americans from May 13 to July 30.
The United States Computer Emergency Readiness Team detected and disclosed the vulnerability in Apache Struts in March, Equifax said in a statement, adding Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
Equifax announced late Friday that its chief information officer and chief security officer would leave the company immediately.
The credit data company said that Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring from Equifax. Ms. Mauldin, a college music major, had come under media scrutiny for her qualifications in security. Equifax did not say in its statement what retirement packages the executives would receive. Ms. Mauldin is being replaced by Russ Ayers, an information technology executive inside Equifax. Mr. Webb is being replaced by Mark Rohrwasser, who most recently was in charge of Equifax’s international technology operations.
When it announced the security issue, Equifax acknowledged the personal information of a limited number of Canadian and British residents may have been breached as well.
More than a week later, on Friday, Equifax released the British figure, saying fewer than 400,000 Britons had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.
The credit monitoring company’s call-centre staff have told callers that only Canadians that have credit files in the United States were likely to be affected. However, the privacy commissioner said that at this point, it is not clear that the affected data was limited to Canadians with U.S. dealings.