Equifax fell short of privacy obligations to Canadians, says privacy commissioner

More than 143 million people around the world, including 19,000 Canadians, were affected

The Equifax Inc., offices in Atlanta are shown on July 21, 2012. Canada’s privacy commissioner says Equifax fell short of its privacy obligations to Canadians during and after a global data breach last year. Privacy concerns included poor security safeguards, retaining information too long, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach. THE CANADIAN PRESS/AP, Mike Stewart

The Equifax Inc., offices in Atlanta are shown on July 21, 2012. Canada’s privacy commissioner says Equifax fell short of its privacy obligations to Canadians during and after a global data breach last year. Privacy concerns included poor security safeguards, retaining information too long, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach. THE CANADIAN PRESS/AP, Mike Stewart

Equifax contravened Canada’s privacy law and fell short of its obligations to Canadians during and after a global data breach in 2017, federal privacy commissioner Daniel Therrien said Tuesday.

More than 143 million people around the world, including 19,000 Canadians, were affected by unauthorized access the financial services company’s systems.

“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” Therrien said in a news release.

His office concluded the company’s deficiencies included poor security safeguards, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.

READ MORE: Equifax hack compromised 100,000 Canadians’ personal data

The Office of the Privacy Commissioner also concluded that Equifax retained information too long.

Therrien said Equifax Canada and its U.S.-based parent company have agreed to improve their security, accountability and data destruction.

The company said it has co-operated with the investigation.

“Although Equifax does not agree with all of the OPC’s findings and recommendations, we value our relationship with the OPC and the work that it does to protect Canadian consumers,” the company said by email.

“Data security and combating cybercrime is an ongoing battle for all organizations which requires continued innovation and attention.”

The breach occurred when hackers gained access to one of Equifax Inc.’s systems on May 13, 2017 through a vulnerability in the software platform the company had known about for more than two months, but had not fixed.

The attackers operated undetected for about 77 days, ultimately gaining access to Canadian personal information unrelated to the compromised portal.

Equifax Inc. detected the attack on July 29, 2017 and contained it the following day. However, Equifax Canada wasn’t notified of the breach until just before the U.S. parent company publicly disclosed it on Sept. 7, 2017.

Canadians whose personal information was breached were notified the following Oct. 23, but letters sent to them included inaccurate information, including inviting them to use a portal that wasn’t accessible from Canada.

Of the 19 people complained to the privacy commission about Equifax, five said their personal information was compromised during the breach.

They alleged that Equifax shouldn’t have allowed their personal information to be compromised and they were surprised their information was in the United States at all.

Equifax Canada stored Canadians’ credit files on servers within the country and segregated from Equifax Inc.’s systems. However, the information of 19,000 Canadians was breached after they purchased products and services from Equifax Canada, with Equifax Inc. playing an integral role in delivering the purchases.

The the OPC said the transfer of information to the United States without the customers’ knowledge was inconsistent with its obligations to obtain consent before disclosing personal information to third parties located in another country.

The privacy office said it has launched a consultation on cross-border transfers that will result in clarified obligations about obtaining valid consent and accountability for protecting the information. Written submissions are accepted until June 4.

“We know there are advantages to transborder data flows, but individuals ought to — and do, under the law — have a say in whether their personal information will be disclosed outside Canada,” Therrien said.

“Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.”

While Equifax Canada offered free credit monitoring to breach victims for at least four years, other protections didn’t match what was offered by the parent company, including credit freezes that restrict access to credit files.

“Canadians affected by the breach face the same risks, and it is unfortunate that Equifax Canada refused to offer a credit freeze option to affected Canadians,” added Therrien.

Ross Marowits, The Canadian Press

Like us on Facebook and follow us on Twitter

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Located at 9750 West Saanich Rd., this North Saanich mansion is on the market for $10.25 million. (Realtor.ca photo)
Located at 9750 West Saanich Rd., this North Saanich mansion is on the market for $8.65 million. (Realtor.ca photo)
The five most expensive homes for sale in Greater Victoria

A roundup of luxury estates currently on the market

BC Coroners Service is currently investigating a death at Canoe Cove Marina and Boatyard in North Saanich. (Black Press Media File)
Drowning death in North Saanich likely first in B.C. for 2021

Investigation into suspected drowning Monday night continues

Jimmy Fallon joked that a woman’s 4.5-star review of a Langford jail is “the most Canadian thing you could do” in The Tonight Show Jan. 21. (Screenshot/YouTube)
VIDEO: Jimmy Fallon jokes Canadian jails are basically hotels following woman’s 4.5-star review

Woman gave handwritten card to police following stay in Langford cells

Sidney's Beacon Wharf
Pontoon company piqued at prospect of public-private partnership around Sidney wharf

Seagate approached to submit proposeal for public-private partnership

Following a cease work order from the District of Highlands in October, the BC Supreme Court ruled Jan. 20. that bylaws won’t apply to O.K. Industries’ work until its quarrying activity is complete. (Courtesy of District of Highlands)
BC Supreme Court rules Highlands quarry work can continue

District bylaws won’t apply until quarrying activities are complete

Toronto Public Health nurse Lalaine Agarin sets up for mass vaccination clinic in Toronto, Jan. 17, 2021. B.C. is set to to begin its large-scale immunization program for the general public starting in April. THE CANADIAN PRESS/Frank Gunn
B.C.’s COVID-19 mass vaccinations expected to start in April

Clinics to immunize four million people by September

Terry Keogh, an RDN Transit driver, used his paramedic skills the morning of Jan. 22 after coming across an unconscious woman along his route in downtown Nanaimo. (RDN Transit photo)
Nanaimo transit driver stops his bus and helps get overdosing woman breathing again

Former EMT from Ireland performed CPR on a woman in downtown Nanaimo on Friday

Chief Public Health Officer Theresa Tam speaks during a daily briefing in Ottawa. (THE CANADIAN PRESS/Adrian Wyld)
31 cases of COVID-19 variants detected in Canada: Health officials

Dr. Theresa Tam made announces 13 more variant COVID-19 cases in Canada

An Atlantic salmon is seen during a Department of Fisheries and Oceans fish health audit at the Okisollo fish farm near Campbell River, B.C. in 2018. The First Nations Leadership Council says an attempt by industry to overturn the phasing out of salmon farms in the Discovery Islands in contrary to their inherent Title and Rights. (THE CANADIAN PRESS /Jonathan Hayward photo)
First Nations Leadership Council denounces attempt to overturn salmon farm ban

B.C.’s producers filed for a judicial review of the Discovery Islands decision Jan. 18

Daily COVID-19 cases reported to each B.C. health region, to Jan. 20, 2021. Island Health in blue, Northern Health green, Interior Health orange, Vancouver Coastal in red and Fraser Health in purple. (B.C. Centre for Disease Control)
B.C.’s COVID-19 infection rate stays stable with 508 cases Friday

Vaccine delivered to more than 110,000 high-risk people

More than 100 B.C. fishermen, fleet leaders, First Nations leaders and other salmon stakeholders are holding a virtual conference Jan. 21-22 to discuss a broad-range of issues threatening the commercial salmon fishery. (Black Press file photo)
B.C. commercial salmon fishermen discuss cures for an industry on the brink

Two-day virtual conference will produce key reccomendations for DFO

Black Press file photo
Investigation at remote burned-out Vancouver Island cabin reveals human remains

Identity of victim not released, believed to be the owner of an SUV vehicle found parked nearby

Angela Waldick is the new team photographer for the Nanaimo NightOwls. (Nanaimo NightOwls photo)
Half-blind photographer will help new Island baseball team look picture-perfect

Nanaimo NightOwls say legally blind team photographer is making history

School District 57 headquarters in Prince George. (Mark Nielsen, Local Journalism Initiative Reporter)
Prince George school district settles with sexual abuse victim

Terms were part of an out-of-court settlement reached with Michael Bruneau, nearly four years after he filed a lawsuit

Most Read