100,000 Canadian victims: What we know about the Equifax breach — and what we don't

It's been nearly two weeks since we learned about one of the biggest data breaches in recent memory, and many questions remain unanswered.

When did the company know about the breach? And why didn't it patch the hole intruders used to get in?

The credit monitoring company Equifax admitted Tuesday that the personal information of Canadians was exposed in a recent data breach. (Thomas Peter/Reuters)

It's been nearly two weeks since the credit monitoring company Equifax admitted it had suffered one of the largest data breaches in recent memory — exposing the personal information of a whopping 143 million U.S. consumers.

In a statement released Tuesday, the company finally confirmed approximately 100,000 Canadians were affected too, with names, addresses, social insurance numbers (SIN) and, in limited cases, credit card numbers among the personal information potentially accessed.

How did it happen? Here's what we know so far, and what we don't.

When did the company know about it? 

Equifax has said that the breach occurred in mid-May, but that it only discovered intruders had compromised its systems on July 29 — nearly two months later. And for reasons that remain unclear, it took yet another month for the company to publicly disclose the breach.

However, Bloomberg reported on Monday that it was actually the second time the company had been breached this year. The prior incident occurred in March according to Bloomberg's sources, with one saying it involved the same intruders as the subsequent hack. Equifax says the two incidents were unrelated, but either way, the company knew it was being targeted as early as this past spring.

That timeline will likely prove important, given three of the company's executives sold almost $1.8 million US in shares in the days after the July 29 discovery that the company had been breached. Equifax has denied the executives knew of the breach when they sold their shares.

Why didn't Equifax patch the hole the intruders used to get in? 

We also learned last week that Equifax fell victim to a vulnerability in a widely used piece of software called Apache Struts. It's a favourite of financial institutions and government agencies, used for the development of web applications — which is what made it all the more concerning when a critical flaw was discovered in the software in March. It's not clear why Equifax didn't patch its systems at that time, nor why the security company Mandiant didn't identify the vulnerability when it was called to investigate Equifax's first security breach that same month.

Who's behind it and what did they want?

As is usually the case in the aftermath of big breaches and attacks, this isn't clear. A number of groups have emerged claiming responsibility, but none have been able to provide proof so far. 

How bad is this for Canadians?

On one hand, 100,000 Canadian victims pales in comparison to the 143 million Americans affected. On the other, there's still no easy way to tell whether or not you're among the unlucky few. Equifax set up a website for Americans to check whether their information was affected by the breach, but that website doesn't work for Canadians. Instead, the company said on Tuesday that it "will be sending notices via mail directly to all impacted consumers outlining the steps they should take." 

What's not clear is whether those affected are limited to Canadians with dealings in the U.S., as Equifax Canada's customer service agents reportedly told callers about the breach. In an email, Equifax Canada media relations said it "will share more information as soon as it is available."

And don't think you can merely ask the government for a new SIN either. You can only ask for a replacement if you can prove to the government your SIN has been fraudulently used. 

What happens next? 

The Office of the Privacy Commissioner of Canada (OPC) said last week that it's investigating the breach, and that Equifax is co-operating. That's about all we know for now. In the meantime, the OPC suggests you monitor your credit cards and bank accounts for unauthorized transactions, report any signs of theft or crime to local police, report scams or frauds to the Canadian Anti-Fraud Centre,  and to tell your bank and credit card companies if you believe you've been a target of identity fraud.


Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.