Skip to main content

Report On Business Canada’s privacy commissioner investigating Equifax as two executives leave company

Equifax Inc., offices in Atlanta.

Mike Stewart/AP

Canada's privacy watchdog launched an investigation into the massive Equifax Inc. data breach after hearing from dozens of concerned Canadians as customers in the country have yet to be told whether hackers stole their personal information.

"The investigation is a priority for our office given the sensitivity of the personal information that Equifax holds," the Office of the Privacy Commissioner of Canada said in an announcement on its website.

Equifax, a credit-monitoring company used by many creditors to check consumers' credit histories, said on Sept. 7 that it fell victim to a massive cyberattack that may have compromised the personal data of up to 143 million Americans from May 13 to July 30.

Story continues below advertisement

The United States Computer Emergency Readiness Team detected and disclosed the vulnerability in Apache Struts in March, Equifax said in a statement, adding Equifax "took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure."

Equifax announced late Friday that its chief information officer and chief security officer would leave the company immediately.

The credit data company said that Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring from Equifax. Mauldin, a college music major, had come under media scrutiny for her qualifications in security. Equifax did not say in its statement what retirement packages the executives would receive.

Mauldin is being replaced by Russ Ayers, an information technology executive inside Equifax. Webb is being replaced by Mark Rohrwasser, who most recently was in charge of Equifax's international technology operations.

When it announced the security issue, Equifax acknowledged the personal information of a limited number of Canadian and U.K. residents may have been breached as well.

More than a week later, on Friday, Equifax released the British figure, saying fewer than 400,000 British consumers had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.

The company's remained mum on how many Canadians were affected, and has not responded to multiple requests for comment.

Story continues below advertisement

The credit monitoring company's call centre staff have told callers that only Canadians that have credit files in the U.S. were likely to be impacted. However, the privacy commissioner said that at this point, it is not clear that the affected data was limited to Canadians with U.S. dealings.

The slow pace of information could be good or bad news for consumers in the Great White North.

It's likely Canadians are the last to find out because the fewest number of them have been impacted, said Hasan Cavusoglu, an associate professor at the University of British Columbia's Sauder School of Business.

It's less likely, but also possible, that the reason is more technical, he said, and Equifax has been unable to pinpoint the segment of Canadian consumers at risk.

Some consumers have expressed concern about pace of communication and lack of information about the breach, one of the largest online data breaches in history.

"The company was a victim of fraud and didn't alert its consumers," said Bethany Agnew-Americano, the lead plaintiff in a proposed class action filed in Ontario on Sept. 12.

Story continues below advertisement

It's one of at least two class actions filed on behalf of Canadians whose information was stored on Equifax databases, alleging the company breached its contract with class members as well as their privacy rights, was negligent in handling their information, and breached provincial privacy statutes.

The credit monitoring company makes money from offering identity theft protection and fraud alert services, and it needs to be held accountable, Agnew-Americano said.

The Canadian Automobile Association, which partnered with Equifax on its identity protection program, said it is writing tot he privacy commissioner requesting the office push the company to provide more information to Canadians.

The CAA is notifying the roughly 10,000 members who participated in the program that they may have had sensitive data divulged.

The privacy commissioner's office tried to soothe some of the brewing frustrations by assuring consumers that Equifax will notify all impacted Canadians in writing as soon as possible.

However, it warned Equifax would not be calling individual consumers and advised Canadians to hang up if anyone calls them claiming to be affiliated with Equifax — regardless of what the caller ID says — as it could be a scam.

Story continues below advertisement

Equifax will also offer free credit monitoring to Canadians that are affected, the office said.

While Canadians wait to hear more about the state of their personal data, the company's reputation is taking a big hit as it's already known the breach impacted millions, said Cavusoglu.

On Friday, Equifax announced personnel changes in wake of the incident, saying its chief information officer and chief security officer are retiring. The company appointed two internal employees to the vacancies on an interim basis.

The company said in the statement that its internal investigation is ongoing, and it is continuing to work with the FBI, as well as Canadian and U.K. regulators.

"Who will trust Equifax after this, this scale of an event," Cavusoglu said. "Business will be substantially effected as a result."

With files from The Associated Press

While some industry watchers say yes, there’s growing evidence that investors still want that human touch – even while adopting more digital tools.
Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter