Equifax fell short of privacy obligations to Canadians, says privacy commissioner

More than 143 million people around the world, including 19,000 Canadians, were affected

The Equifax Inc., offices in Atlanta are shown on July 21, 2012. Canada’s privacy commissioner says Equifax fell short of its privacy obligations to Canadians during and after a global data breach last year. Privacy concerns included poor security safeguards, retaining information too long, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach. THE CANADIAN PRESS/AP, Mike Stewart

The Equifax Inc., offices in Atlanta are shown on July 21, 2012. Canada’s privacy commissioner says Equifax fell short of its privacy obligations to Canadians during and after a global data breach last year. Privacy concerns included poor security safeguards, retaining information too long, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach. THE CANADIAN PRESS/AP, Mike Stewart

Equifax contravened Canada’s privacy law and fell short of its obligations to Canadians during and after a global data breach in 2017, federal privacy commissioner Daniel Therrien said Tuesday.

More than 143 million people around the world, including 19,000 Canadians, were affected by unauthorized access the financial services company’s systems.

“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” Therrien said in a news release.

His office concluded the company’s deficiencies included poor security safeguards, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.

READ MORE: Equifax hack compromised 100,000 Canadians’ personal data

The Office of the Privacy Commissioner also concluded that Equifax retained information too long.

Therrien said Equifax Canada and its U.S.-based parent company have agreed to improve their security, accountability and data destruction.

The company said it has co-operated with the investigation.

“Although Equifax does not agree with all of the OPC’s findings and recommendations, we value our relationship with the OPC and the work that it does to protect Canadian consumers,” the company said by email.

“Data security and combating cybercrime is an ongoing battle for all organizations which requires continued innovation and attention.”

The breach occurred when hackers gained access to one of Equifax Inc.’s systems on May 13, 2017 through a vulnerability in the software platform the company had known about for more than two months, but had not fixed.

The attackers operated undetected for about 77 days, ultimately gaining access to Canadian personal information unrelated to the compromised portal.

Equifax Inc. detected the attack on July 29, 2017 and contained it the following day. However, Equifax Canada wasn’t notified of the breach until just before the U.S. parent company publicly disclosed it on Sept. 7, 2017.

Canadians whose personal information was breached were notified the following Oct. 23, but letters sent to them included inaccurate information, including inviting them to use a portal that wasn’t accessible from Canada.

Of the 19 people complained to the privacy commission about Equifax, five said their personal information was compromised during the breach.

They alleged that Equifax shouldn’t have allowed their personal information to be compromised and they were surprised their information was in the United States at all.

Equifax Canada stored Canadians’ credit files on servers within the country and segregated from Equifax Inc.’s systems. However, the information of 19,000 Canadians was breached after they purchased products and services from Equifax Canada, with Equifax Inc. playing an integral role in delivering the purchases.

The the OPC said the transfer of information to the United States without the customers’ knowledge was inconsistent with its obligations to obtain consent before disclosing personal information to third parties located in another country.

The privacy office said it has launched a consultation on cross-border transfers that will result in clarified obligations about obtaining valid consent and accountability for protecting the information. Written submissions are accepted until June 4.

“We know there are advantages to transborder data flows, but individuals ought to — and do, under the law — have a say in whether their personal information will be disclosed outside Canada,” Therrien said.

“Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.”

While Equifax Canada offered free credit monitoring to breach victims for at least four years, other protections didn’t match what was offered by the parent company, including credit freezes that restrict access to credit files.

“Canadians affected by the breach face the same risks, and it is unfortunate that Equifax Canada refused to offer a credit freeze option to affected Canadians,” added Therrien.

Ross Marowits, The Canadian Press

Like us on Facebook and follow us on Twitter

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

This woman is one of two people the Agassiz RCMP are asking for assistance in identifying after a string of alleged thefts in Popkum. (Agassiz RCMP)
Agassiz RCMP ask for help to identify suspects in Popkum thefts

Images of the two suspects were captured on surveillance footage between Jan. 10 and 16

Only students who are attending in-person classes will be asked to take the Foundation Skills Assessment this year in the Fraser Cascade School District. (Unsplash)
Foundation Skills Assessment only for in-person learners: SD78

The provincial assessment will take place between Feb. 15 and March 12 for grades 4 and 7

Abbotsford’s Tradex has been transformed into a volleyball and basketball facility with Open Court. (Instagram photo)
Abbotsford’s Tradex transforms into sports facility

Open Court program hosting volleyball and basketball teams for practices and possibly games

Map of COVID-19 cases for Jan. 10 to 16 by local health area. (BCCDC)
Agassiz, Harrison COVID-19 cases heading back towards weekly normal

The area saw 10 new cases between Jan. 10 and 16, after a one week high of 19

Businesses continue to struggle under COVID-19 restrictions as the pandemic reaches the one-year mark. (B.C. government)
Another 564 COVID-19 cases, mass vaccine plan coming Friday

15 more deaths, community cluster declared in Williams Lake

Premier John Horgan leaves the podium following his first press conference of the year as he comments on various questions from the media in the Press Gallery at B.C. Legislature in Victoria, B.C., on Monday, January 13, 2020. THE CANADIAN PRESS/Chad Hipolito
Interprovincial travel restrictions a no-go, Horgan says after reviewing legal options

The B.C. NDP government sought legal advice as concerns of travel continue

Gem Lake Top, at Big White Ski Resort, seen at Jan. 8. (Big White Ski Resort)
Big White cancels $7.3M in lift tickets, accommodations due to COVID-19 orders

Since November, the ski resort has been forced to make several changes

Jan. 21 marks the 21st day of the 21st year of the 21st century, according to some. (Black Press Media file photo)
The 21st day of the 21st year of the 21st century is upon us

Milestone won’t be back for another 100 years

Darlene Curylo scratched a $3M ticket, BCLC’s largest ever scratch and win prize. (BCLC)
Kelowna woman in shock after winning BCLC’s largest-ever instant-ticket prize

Darlene Curylo couldn’t believe her eyes when she saw the amount of money she’d won from a scratch ticket

While each person has different reasons for becoming homeless, a UBCO study shows they learn through their interactions with different services to perform ‘as homeless’ based on the expectations of service providers. (Contributed)
Kelowna homeless forced to ‘perform’ for resources, says UBCO study

One participant in the study said ‘It is about looking homeless, but not too homeless’

Gov. Gen. Julie Payette takes the royal salute from the Guard of Honour as she makes her way deliver the the throne speech, Wednesday, September 23, 2020 in Ottawa. THE CANADIAN PRESS/Fred Chartrand
Gov. Gen. Julie Payette resigns, apologizes for ‘tensions’ at Rideau Hall

Payette, who is the Queen’s representative in Canada, has been the governor general since 2017

Grounded WestJet Boeing 737 Max aircraft are shown at the airline’s facilities in Calgary, Alta., Tuesday, May 7, 2019. WestJet will operate the first commercial Boeing 737 Max flight in Canada today since the aircraft was grounded in 2019 following two deadly crashes. THE CANADIAN PRESS/Jeff McIntosh
Passengers unfazed as WestJet returns Boeing 737 Max to service on Vancouver flight

After a lengthy review process, Transport Canada cleared the plane to return to Canadian airspace

The top part of the fossil burrow, seen from the side, with feathery lines from the disturbance of the soil – thought to be caused by the worm pulling prey into the burrow. (Paleoenvironntal Sediment Laboratory/National Taiwan University)
PHOTOS: SFU researchers find evidence of ‘giant’ predatory worms on ocean floor

Fossils found the prove the existence of an ancient Taiwanese worm as long as two metres

Most Read