Equifax data breach a 'digital disaster' for Canadians
Columnist David Shipley weighs in on the Equifax data breach announced last week
The fallout of the Equifax data breach is going to be felt by companies, individuals and government for years to come.
This digital disaster will cause millions of people significant stress as they are dragged into a near never-ending battle with identity thieves.
It will cost billions to contain, and attempt to clean-up, and the proceeds of the crime will throw even more fuel onto the roaring fire that is global cyber crime.
What is Equifax and what happened?
Equifax is one of the big four credit bureaus — they rank a person's worthiness to receive credit — things like car loans, mortgages, credit cards or sometimes even services such as telephone, cable and, in the US, even health care.
Their database includes personally identifiable information — names, addresses and most crucially, data like social security numbers in the US or social insurance numbers in Canada.
Companies aren't yet required to report data breaches or disclose any information about such breaches. We are severely lagging behind many countries in this regard ... — David Shipley
In May, an unknown group successfully breached Equifax's online services by exploiting a vulnerability in their web servers.
A software fix, called a patch for the vulnerability, had been available in March but was not put in place. Equifax only reported the breach last week. As many as 143 million Americans and reportedly as many as 44 million people in the UK are affected.
As of this weekend, all we know about Canada is that some people are affected, but no idea exactly how many or how much personal information has been compromised.
Reportedly 10,000 Canadian Automobile Association (CAA) subscribers in Canada have been notified that their information was included in the breach.
Why don't we know more?
To be honest, it's the result of gaping holes in Canada's privacy legislation.
Companies aren't yet required to report data breaches or disclose any information about such breaches. We are severely lagging behind many countries in this regard including the U.S. but leagues behind leaders like Europe.
We've passed some laws in 2015 regarding breach reporting, but haven't brought the required regulations to support the law into force yet.
Canada's federal privacy commission issued a statement on Tuesday urging Equifax to provide this information to Canadians, pointedly noting they were first notified of the breach through media reports and have been "seized" with this issue.
The Commissioner says Equifax is "cooperating" with their office.
The privacy commissioner also took the unusual step of recommending Canadians not use the U.S. website Equifax has set up as it is only designed for use with U.S. Social Security numbers.
The new regulations under Canada's digital privacy act will help a bit — they have fines of up to $100,000 for failing to report a breach like this, but fixed fines such as that have little impact on massive corporations.
What Canada should be doing
Canada should move to adopt new European regulations called the General Data Protection Regulation or GDPR.
Fines under those rules can run up to $30 million Canadian or 4% of revenues, whichever is higher.
- Equifax faces mounting pressure after data breach as CAA reveals 10,000 clients hit
- Canada's privacy commissioner opens probe into Equifax data breach
Those are numbers that are causing firms that do business in Europe to stand up, take notice, fix shoddy products and services and pay more attention to defending against attackers.
Firms the size of Equifax aren't going to change their behaviour for $100,000 fines.
The bigger you are the easier you fall
Breaches such as what happened to Equifax happen every day for a combination of reasons ranging from people falling victim to scam e-mails, to delays in properly updating or patching software or servers, to not investing in appropriate security technologies or audits.
What many people don't know or realize is that large firms have something called technical debt.
Technical debt begins to accrue when you build a new complex IT system — say a system for gathering and sharing people's credit scores. Companies invest millions or even billions to build these systems and then launch them.
But over time, the technology ages.
If firms aren't careful, the system they built can become vulnerable as more and more flaws are found in it over time.
If they don't fix those bugs or flaws — which may cause further issues and can be time consuming, expensive or cause service outages — then as time goes on the probability of a data breach increases dramatically.
What can Canadians do?
Sadly, there's not much Canadians who now have to live with the mess created by the breach can do to prevent something awful from happening to their finances.
Credit monitoring services help, but they can't stop identity theft. They can only alert you that it's happened or at best, in-progress.
Some of the better credit monitoring or identity theft services can go a bit further by assisting in recovering your identity and paying some of the legal costs, but at the end of the day a lot of stress and harm can be caused by a data breach.
The bigger, longer-term issue that the Equifax breach has cast a spotlight on is the obsolescence of the social insurance number ... — David Shipley
In the U.S., there is an option for a credit freeze, though it can cost you money and take many steps to get in place.
Americans can ask the four major credit bureaus including Equifax not to provide their information to anyone, which will stop anyone from trying to get a car loan or credit in their name if the financial institution or service provider requires a credit check.
But that option really doesn't exist in Canada.
Some of the bureaus do allow you to flag your account requiring additional ID or someone to contact you to approve any new credit applications, which may be helpful, but not all have that option and it's not something that's easy to figure out.
Moving past the SIN
The bigger, longer-term issue that the Equifax breach has cast a spotlight on is the obsolescence of the social insurance number and the need for a new secure form of unique personal digital identifier for government and commercial services.
We have to stop using a nearly 50-year-old approach that just doesn't work in a 21st-century digital environment that's full of cyber threats.
Efforts such as New Brunswick's experiments to create a new secure digital ID are a step in the right direction.