Equifax breach provokes frustration for Canadians

Canadians who have accounts with Equifax Canada are expressing frustration after the firm's U.S. parent unveiled a cybersecurity breach that exposed the information of millions of people.

Personal data of 143 million people in U.S. exposed, along with others in Canada, U.K.

Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million people in the United States, along with an undisclosed number of people in Canada and the U.K. (Mike Stewart/Associated Press)

Equifax apologized Friday for its consumer response to a cybersecurity breach that exposed the information of millions of people.

Responding to criticism that its online and phone support systems were either broken or insufficient, Equifax issued a statement saying its customer support website was back up and functioning properly and that it had tripled the size of its call centre team to more than 2,000 agents, with more to be added.

Equifax revealed Thursday that the breach discovered on July 29 could expose the personal information of about 143 million people in the United States. The company also said that the information of an undisclosed number of people in Canada and the United Kingdom was compromised.

Canadians who have accounts with Equifax Canada expressed frustration at the difficulty of getting any help or information from the company.

Jaime Horwitz of Toronto and his wife got accounts with Equifax Canada earlier this year after her purse was stolen from a shopping cart. Police and Visa suggested at that time that they get the accounts to receive identify theft alerts.

On Friday, after news of the giant hack emerged, Horwitz said he had difficulty getting through to the company.

Jaime Horwitz say his wife's personal information may have been compromised in the massive cybersecurity breach reported by Equifax. (CBC)

"I couldn't get to the website, I couldn't get through on the phone, I tweeted them twice ... to see if they had any response, and nothing," he told CBC News. 

He eventually determined that his information hadn't been compromised, but found that his wife's may have been.

"Both my wife and I want to cancel our accounts and we would like Equifax to get rid of all of our information, that's basically what I want," he said. 

"Somehow we have to be able to protect our sensitive information. That is one of the biggest dangers we live in today — cyberhacking and all that stuff."

On social media, many Canadian users expressed frustration with Equifax Canada, calling on the company to let them know how they can check if their personal information has been part of the security breach.

Equifax Canada said Friday it had no information to add to what its parent has announced, according to a report from The Canadian Press.

The massive breach has already attracted the attention of Canadian class-action lawyers and the country's privacy commissioner, as reaction to the massive hack gathered momentum Friday.

Class-action lawyer Tony Merchant of the Merchant Law Group said he filed a claim in Saskatchewan and plans to follow with lawsuits next week in Ontario, Quebec and elsewhere in the country. 

"This is not only the largest loss of data, but it's profoundly significant because they were collectors of a variety of pieces of financial information about people," Merchant told CP. 

Many Canadians affected have likely never even heard of the company, he added. 

"So it's even more worrisome because people who may be the subject of identity theft and wrongdoing aren't even thinking 'I should be checking on this."'

The Office of the Privacy Commissioner of Canada wants Equifax to provide a full report on the breach, including details on how Canadians were affected.

"Given the potential sensitivity of the information, we expect that Equifax will adopt measures to help affected individuals," spokesperson Valerie Lawton said via email.

Personal information taken

Equifax said that from mid-May through July 2017 thieves obtained consumers' names, birth dates, addresses, social security numbers and, in some cases, driver's licence numbers in the cyberattack on the credit monitoring company, which is based in Atlanta.

The massive breach will mean some "very unfortunate stories" to come, says a Canadian technology executive.

"So this means [the perpetrators] have a detailed financial history, obviously all of your current information, and a lot of your current debts, as well as, sort of, paying history," Mark Nunnikhoven, vice-president of cloud research at Trend Micro, told CBC News.

He said the information obtained in the Equifax breach differs from cases involving the theft of credit card numbers because once the card is flagged, its number will be changed and the card will no longer be useful.

"But with the type of information that's exposed in a breach like this, [the thieves] can start going out and getting new credit, getting new financial products under your identity, and those have a much longer lifetime," Nunnikhoven said.

"On a scale of one to 10, this is a 10 in terms of potential identity theft," said Gartner security analyst Avivah Litan. "Credit bureaus keep so much data about us that affects almost everything we do."

The breach at Equifax is far from the largest in history. That dubious distinction belongs to Yahoo, which saw more than one billion user accounts compromised in two thefts. However, it could be the largest theft of U.S. social security numbers, topping a 2015 hack of health insurer Anthem Inc. that involved the data of about 80 million people.

Nunnikoven gave Equifax full credit for explaining the breach to the public, noting that the company has set up a dedicated website to keep consumers informed.

"Hopefully the impact to people will be minimal, but with the amount of people affected, unfortunately we are going to see some very unfortunate stories coming out of this," he said.

Long recovery

The process of recovering from the damage caused by identity theft can take weeks, months or even years, Nunnikoven said.

  "When it comes to the type of information that Equifax had, as far as that deep history, all of that identity information, unfortunately the damage can be a lot harder to walk back."

The state attorneys general of New York and Illinois said they have launched formal investigations into the breach, and the U.S. House of Representatives' financial services committee will hold a hearing on the matter, although a date has not been set.

"This is obviously a very serious and very troubling situation, and our committee has already begun preparations for a 
hearing. Large-scale security breaches are becoming all too common," said Republican Rep. Jeb Hensarling, chair of the committee.

At least two proposed federal class-action lawsuits have already been filed in the United States against Equifax, Reuters reported Friday. 

One suit, which was filed in Atlanta, accused the firm of negligence and wilfully violating the Fair Credit Reporting Act for failing to protect customer information. 

Stock drop

Investors punished the company's stock on Friday. On the New York Stock Exchange, Equifax shares fell 13.7 per cent, tumbling $19.49 US to close the day at $123.23 US.

Equifax has said that three of its executives who sold stock just days after the company discovered the breach were not aware of the hack at the time.

Equifax chief financial officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran, sold a combined $1.8 million US in stock on Aug. 1 and Aug. 2.

In a statement, the company said the executives "had no knowledge that an intrusion had occurred at the time they sold their shares."

With files from The Canadian Press and The Associated Press