Equifax to update Canadians this week, still mum on number affected by hack
Equifax Canada said Monday it plans to provide an update this week on the impact of its massive data breach — nearly two months after it was first discovered — but would not say how many individuals north of the border may have had their personal information compromised.
The credit data company told The Canadian Press that it is working with Canada’s privacy watchdog, which announced an investigation into the cyberattack on Friday.
“We intend to share an update with Canadians this week that will include how we intend to notify any potentially impacted individuals,” an Equifax Canada spokesperson said in an email. “Our investigation is ongoing and we are committed to sharing an update with Canadian consumers.”
Canada’s privacy commissioner said Friday that Equifax has committed to contacting Canadians whose data may be at risk, in writing, as soon as possible, and to offer them free credit monitoring, a service that was provided to U.S. residents on Sept. 7, the day it first announced the data breach.
The company is now facing investigations in both Canada and the U.S., but lawyers say the punitive threat by regulators is stronger south of the border.
Equifax, which collects data about consumers’ credit histories and provides credit checks to a variety of companies, has been tightlipped about the security issue’s impact in Canada.
Equifax Canada did not respond to questions about the number of Canadians who may have had their personal information stolen or whether the potential fallout is limited to Canadians with credit files in the U.S.
The credit monitoring company’s call centre staff have told callers that only Canadians that have dealings in the U.S. were likely to be impacted by the data breach. However, the Office of the Privacy Commissioner said on Friday that, at this point, it is not clear that the affected data was limited to those Canadians.
Equifax said on Sept. 7 that it suffered a massive cyberattack in the summer that may have compromised the personal data of 143 million Americans and an undisclosed number of Canadian and U.K. residents.
The credit data company has since said that fewer than 400,000 U.K. individuals may have been affected in the hack that was discovered on July 29.
Equifax’s Canadian website says that the personal information that may have been breached includes names, addresses and social insurance numbers.
The Federal Trade Commission in the U.S. can issue hefty fines if the credit monitoring company is found to have failed to do enough to protect consumers’ data, but Canada’s privacy watchdog does not have the power to hand down fines, said Toronto-based cybersecurity and privacy lawyer Lyndsay Wasser of McMillan LLP.
Instead, the privacy commissioner can make non-binding recommendations and sign an agreement urging them to comply, she added.
Tamir Israel, a staff lawyer with the Canadian Internet Policy and Public Interest Clinic in Ottawa, pointed to the hacking of Canadian affair-seeking website Ashley Madison, which paid US$1.6 million to settle with the Federal Trade Commission but was not fined in Canada.
However, Wasser said an application could also be made to a federal court — either by the privacy commissioner or by an individual — for a process in which a judge could award damages to those who have suffered as a result of a data breach.