Equifax data breach: Were you affected?


Equifax Canada says 100,000 Canadians were affected by a massive cybersecurity data breach in which hackers stole the personal information of as many as 143 million people from the U.S., Canada and the U.K.

"We apologize to Canadian consumers who have been impacted by this incident," Lisa Nelson, president and general manager of Equifax Canada, said in a statement.

Initially, Equifax only stated that a "limited" number of Canadians had been affected.

"We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete," she said. "Our focus now is on providing impacted consumers with the support they need."

Equifax is now working with the Office of the Privacy Commissioner of Canada (OPC) and will be sending notices via mail directly to all impacted consumers. The letter will explain all of the steps consumers need to take - Equifax is even offering affected customers complimentary credit monitoring and identity theft protection for 12 months.

Here's what Canadians need to know about the Equifax data breach and its potential effect across the border.

Details of the breach
Equifax announced in September 2017 that the breach occurred between mid-May and July 2017. Stolen personal information includes names, birth dates, addresses, U.S. Social Security numbers and 209,000 credit card numbers, the agency said.

Equifax said the breach is now "contained" and that the company is "working night and day to assess what happened."

Security experts pointed to the sheer magnitude of the data breach - to put it in perspective, it's exposed the personal information of nearly half of the population of the United States.

"It is as ridiculous as it gets," says security expert Robert Siciliano, CEO of IDTheftSecurity.com.

"This is not the largest breach ever, but this is definitely the largest breach of Social Security numbers that I am aware of, which is significant in terms of new account fraud," he says.

Why did fraudsters take the information?
Siciliano says that with this stolen information in tow, fraudsters can make money by selling the data on the dark web.

"They are probably already brokering it, meaning they are selling it off," he says. "So, to sell one million Social Security numbers, if they got a penny for each, they could make some substantial money. And those who they sell it to will then work toward turning the data into cash by opening lines of credit using the information."

"With this amount of compromised data hitting the black market, we'll see more fraudsters buying that data and using it to access your accounts using stolen credentials," says Rodger Desai, chief executive officer of PayFone.

He says now is the prime time for consumers to pay close attention to any irregular activity on their accounts and for service providers to amp up multi-factor authentication to keep consumers' accounts safe.

Which Canadians are most likely to be affected?
Officials say Canadians who had dealings in the United States are the ones most likely to have had their data stolen in the Equifax breach.

That includes Canadians who had Equifax accounts in the U.S., from living, working or applying for credit south of the border. According to Equifax Canada's customer service reps, if Canadians have their credit checked outside of the country, they shouldn't be part of the breach.

Equifax Canada did not respond to a request for comment.

Additionally, the Canadian Automobile Association (CAA) warned 10,000 people that they may have been affected because of a CAA contract with Equifax Canada for ID Theft Protection.

The CAA says it partnered with Equifax from March 2015 until June 30, 2017, to provide credit and identity theft protection. Equifax provided the service for CAA members who were enrolled.

"We chose Equifax as a partner because they were one of the most long-established brands in this category, and we wanted to give members the most assurance we could about this new member benefit," the CAA said.

"Since the data breach in the U.S. came to light late last week, we have been seeking answers from Equifax about whether any of the data shared by CAA members with Equifax, and other Canadian data, were compromised," it said.

About 10,000 of CAA's 6.2 million members signed up for this service. None of them are from Alberta or Quebec.

What should concerned Canadians do now?
For now, your best bet is to be on high alert for anomalies on your accounts.

"We recommend that you remain vigilant of incidents of fraud and identity theft by reviewing account statements and monitoring your credit reports," the Equifax website reads. "If you believe you are a victim of identity theft, you should contact the proper law enforcement authorities, including local law enforcement."

The OPC has even waded into the fray, opening its own investigation into the data breach.

The OPC says it received "several complaints and dozens of calls from concerned Canadians." It says Equifax is cooperating in the investigation and will notify all affected Canadians in writing as soon as possible.

Here's what the OPC suggests concerned Canadians do:

  • Canadians should not check whether they're affected by the breach via the U.S. website that Equifax has set up. The site is designed for use for U.S. Social Security numbers and not Canadian social insurance numbers. Canadians can call Equifax at 1-866-828-5691 (English) or 1-877-323-2598 (French) for more information.
  • Equifax will not be calling affected consumers. If someone calls you claiming to be from Equifax, hang up, even if the caller ID display says it is Equifax. Do not provide personal information over the phone or by email.
  • Monitor your credit card and bank account statements regularly and look for any transactions you did not authorize. Report any issues right away.
  • If you identify a concern involving theft or crime, report the incident to local police. Report any scams or frauds to the Canadian Anti-Fraud Centre.
  • If you think you have been a victim of identity fraud, advise your bank and credit card companies. Close any accounts and cancel any cards that may have been compromised.

In the meantime, class-action lawsuits are in the works in the U.S. and in Canada.

Merchant Law Group LLP launched a national class-action lawsuit against Equifax in Canada. A spokesperson from the firm said about 700 Canadians have already signed up.

See related: Are you being safe with your account info -- or paranoid?, First steps card fraud victims should take, Are credit monitoring services worth the cost?
Published September 19, 2017

Most recent Fraud, Identity theft Stories