Skip to main content

Equifax Inc. corporate offices in Atlanta, Georgia, U.S.

Tami Chappell/REUTERS

Equifax Canada said Tuesday approximately 100,000 Canadian consumers may have had their personal information and credit card details compromised in a massive cyberattack that also affected 143 million Americans, as the U.S. parent company revealed it also had a separate data breach this year.

"We apologize to Canadian consumers who have been impacted by this incident," Lisa Nelson, president and general manager of Equifax Canada, said in a statement.

"We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete."

Story continues below advertisement

Rob Carrick: A $500,000 lesson in how to fight identity theft

Equifax announced on Sept. 7 that it discovered a data breach in July that may have compromised the personal information of 143 million Americans and an undisclosed number of Canadian and U.K. residents.

But the company, which collects data about consumers' credit histories and provides credit checks to a variety of companies, had been tight-lipped about the impact of the cyberattack in Canada.

Canada's privacy watchdog announced last Friday that it was probing the data breach.

The Canadian division said Tuesday an investigation is ongoing and it appears that the breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.

Equifax Canada has provided information to MasterCard and Visa about Canadians whose credit card details may have been compromised for communication to the financial institutions involved, which will then communicate with consumers, the company said in an update on its Canadian website.

Hackers accessed Equifax Canada's systems through a consumer website application intended for use by U.S. consumers, it said. The hackers apparently obtained access to files containing the personal information of some Canadian consumers through the interface.

Story continues below advertisement

"Equifax Canada can confirm that Canadian systems are not affected," it said on its website.

"We have found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases. Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S."

Equifax's investigation so far shows that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said it is working closely with its parent company and an unnamed, independent cybersecurity conducting the ongoing investigation.

The cyberattack occurred through a vulnerability in an open-source application framework that was detected and disclosed in March. The U.S. parent company revealed on Tuesday it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.

The breach involved TALX, which is Equifax's human resources and payroll service. The company said there's no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.

Three executives at Equifax were found to have sold stock in the days leading up to the time when Equifax disclosed the more serious breach. Equifax says the three executives, which includes the company's second-highest ranking employee, its chief financial officer, were unaware of the bigger breach when they sold their shares. Equifax has also announced that its chief information officer and chief security officer were retiring, effective immediately.

Story continues below advertisement

Massachusetts Attorney General Maura Healey sued Equifax on Tuesday, making it the first state to take direct legal action against the company following the breach. Its lawyers say that Equifax's negligence exposed more than half the state's adult population to the breach, and the company was negligent in dealing with security threats, including the software vulnerability that has become the centre of the investigation.

The company is now facing investigations in Canada and the U.S. At least two proposed class actions have been filed in Canada and many more in the U.S. against Equifax in connection with the data breach.

Rob Carrick outlines the steps Canadian should take to deal with the Equifax security breach which exposed the personal information of tens of thousands of people
Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

If your comment doesn't appear immediately it has been sent to a member of our moderation team for review

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.