Privacy commissioner launches investigation into Equifax data breach
TORONTO — Canada’s privacy watchdog says it has opened an investigation into the massive Equifax Inc. data breach after receiving several complaints and dozens of calls from concerned Canadians.
The Office of the Privacy Commissioner of Canada says that the credit monitoring company has committed to notifying all impacted Canadians in writing as soon as possible, but it will not be calling affected consumers.
Equifax said last week that it was the victim of a massive cyberattack that may have compromised the personal data of as many as 143 million Americans and a limited number of Canadian and U.K. residents, but has not specified how many individuals in Canada were impacted.
The credit monitoring company’s call centre staff have told callers that only Canadians that have credit files in the U.S. were likely to be impacted.
However, the privacy commissioner says at this point, it is not clear that the affected data was limited to Canadians with U.S. dealings.
The watchdog added that Equifax will also offer free credit monitoring to those Canadians that are affected.
Meanwhile, the Canadian Automobile Association is informing thousands of its members that their data may have been compromised.
The CAA said it partnered with Equifax on its identity protection program and is notifying the roughly 10,000 members who participated that they may have had sensitive data divulged in the security breach.
The auto organization’s program required members to register their personal information such as credit cards, banking information and email address, with the option of providing a social insurance number.
It appears that the sensitive information of CAA members who signed up for the identity protection program was stored with Equifax USA, said Ian Jack, CAA managing director of communications and government relations.
The company has shied away from public comment. However, Equifax Canada’s customer service agents have told callers that only Canadians who have had dealings in the U.S. are likely to have had their information compromised in the data breach. That includes those who have lived, worked or applied for credit south of the border.
“Equifax has not been forthcoming with information to us despite our repeated requests,” Jack said.
The identity protection program began in March 2015 and was terminated on July 1, weeks before Equifax discovered the hack on July 29.
“We value our members’ privacy. Our contract with Equifax explicitly said customer data would be governed by Canada’s privacy law, PIPEDA,” Jack said.
“We chose them as a partner because of their then high reputation. CAA did not handle or retain any of the information provided to Equifax.”
Equifax Canada did not respond to requests for comment from Canadian Press.
Equifax has provided consumers in the U.S. with a website that shows whether they are at risk of identity theft and is allowing them to monitor their files for free for one year.
But the online database does not provide Canadians with accurate information because it is based on U.S. social security numbers. The Equifax Canada website says it costs $19.95 per month for the monitoring service.
Toronto lawyer Frances Macklin said she is frustrated that Canadians are more in the dark than U.S. consumers and questioned why there isn’t a dedicated portal for consumers north of the border.
“We’re equally affected. Just because I don’t have a social security number, I don’t get access to information,” said the partner at Gowlings law firm. “I’m completely bewildered by that.”
Communications expert Warren Weeks believes Equifax could not have handled this issue in a worse way.
“We’re talking about the gateway to all of your financial information in your life,” said Weeks, owner of communications firm Weeks Media Group.
“And Canadians, in specific, don’t know if they’ve been targeted or not or they’ve been impacted or not? I think in 2017, that’s unacceptable.”
Equifax may also be under more regulatory pressure in the U.S. than in Canada, said Tamir Israel, a staff lawyer with the Canadian internet Policy and Public Interest Clinic in Ottawa.
The U.S. has federal regulations in place that govern credit reporting companies such as Equifax, which outline both proper business practices and identity theft, Israel said.
“If they don’t deal with this issue appropriately, [that law] is likely to get expanded to address whatever shortcomings they had.”