Duncan man files lawsuit over Equifax cyber attack
A Duncan man has filed a class-action lawsuit against Equifax after a cyber attack on the credit-monitoring service in 2017 breached the private information of thousands of Canadians.
Daniel Thalheimer, 46, says he was a client with Equifax and got a letter from the company in October last year informing him that his personal data and information had been compromised, a situation he fears leaves him open to the ongoing risk of identity theft and fraud.
The company didn’t say exactly which information was impacted but indicated his file included his social insurance number, name, address, date of birth, phone number and email address. The file also had his username, password and secret question and answer for the Equifax website.
“With that information, you’d be able to walk into a bank and pose as me and have every document you need to get something,” Thalheimer said. “So that scares me the most.”
His lawsuit, which was filed in B.C. Supreme Court and is believed to be the second such suit in B.C. and the third in Canada to be filed, says the breach occurred between May 13 and July 30, 2017 and could have been avoided.
It claims the data breach occurred because of a vulnerability in a website application, which was exploited to gain access to files.
The developer of the website application was notified of the vulnerability on Feb. 14, 2017 and an upgrade, which fixed the vulnerability, was released on March 6, 2017, says the suit.
Equifax was notified directly that without the upgrade a remote attacker could exploit the identified vulnerability and take control of an affected system, says the lawsuit. Despite a company policy to implement security patches within 48 hours of notification, the upgrade was not installed by Equifax until July 30, 2017, well after the breach occurred, the suit claims.
On Sept. 7, 2017, Equifax, which has its principal executive offices in Atlanta but has a wholly owned subsidiary in Canada, announced that approximately 143 million U.S. consumers and an unspecified number of Canadians were affected by the data breach.
Equifax Canada issued a press release on Sept. 19, 2017 saying 100,000 Canadians were affected.
But less than a month later it stated the number of Canadians whose personal information was impacted was about 8,000, with a further 11,670 Canadians whose credit card information was affected, according to the lawsuit.
In March, the company said a further 2.4 million American consumers had been affected by the breach.
Contained within Equifax’s letter to Thalheimer was an offer for 12 months complimentary credit monitoring under a company plan he had already been a member of at the time.
David Moriarty, a lawyer for Thalheimer, said he was aware of at least one other similar class-action lawsuit filed in B.C. and one in Ontario.
When there is more than one class-action lawsuit filed in a case, frequently counsel for the plaintiffs will work together and prosecute the action collectively, he added.
“We’re not part of any consortium or agreement at this stage. Whether we end up in one in the future, I don’t know.
“We’ll have to wait and see. It’s very early for us.”
The lawsuit seeks to have the case certified as a class-action suit and also seeks general, special, aggravated and punitive damages.
Equifax Canada said in an email that there would be no comment on ongoing litigation.