Skip to main content
The Globe and Mail
Get full access to globeandmail.com
Support quality journalism
Just $1.99 per week for the first 24weeks
Just $1.99 per week for the first 24weeks
The Globe and Mail
Support quality journalism
Get full access to globeandmail.com
Globe and Mail website displayed on various devices
Just$1.99
per week
for the first 24weeks

var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(select.open)}function setPanelState(o){dom.root.classList[o?"add":"remove"](select.open),dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){console.log("scroll");var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))}pencilInit(".js-sub-pencil",!1);

Equifax contravened Canada’s privacy law and fell short of its obligations to Canadians during and after a global data breach in 2017, federal privacy commissioner Daniel Therrien said on Tuesday.

More than 143 million people around the world, including 19,000 Canadians, were affected by unauthorized access the financial-services company’s systems.

“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit-reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” Mr. Therrien said in a news release.

Story continues below advertisement

His office concluded the company’s deficiencies included poor security safeguards, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.

The Office of the Privacy Commissioner also concluded that Equifax retained information too long.

Mr. Therrien said Equifax Canada and its U.S.-based parent company have agreed to improve their security, accountability and data destruction.

The company said it has co-operated with the investigation.

“Although Equifax does not agree with all of the OPC’s findings and recommendations, we value our relationship with the OPC and the work that it does to protect Canadian consumers,” the company said by e-mail.

“Data security and combatting cybercrime is an ongoing battle for all organizations which requires continued innovation and attention.”

The breach occurred when hackers gained access to one of Equifax Inc.’s systems on May 13, 2017, through a vulnerability in the software platform the company had known about for more than two months, but had not fixed.

Story continues below advertisement

The attackers operated undetected for about 77 days, ultimately gaining access to Canadian personal information unrelated to the compromised portal.

Equifax Inc. detected the attack on July 29, 2017, and contained it the following day. However, Equifax Canada wasn’t notified of the breach until just before the U.S. parent company publicly disclosed it on Sept. 7, 2017.

Canadians whose personal information was breached were notified the following Oct. 23, but letters sent to them included inaccurate information, including inviting them to use a portal that wasn’t accessible from Canada.

Of the 19 people who complained to the privacy commission about Equifax, five said their personal information was compromised during the breach.

They alleged that Equifax shouldn’t have allowed their personal information to be compromised and they were surprised their information was in the United States at all.

Equifax Canada stored Canadians’ credit files on servers within the country and segregated from Equifax Inc.’s systems. However, the information of 19,000 Canadians was breached after they purchased products and services from Equifax Canada, with Equifax Inc. playing an integral role in delivering the purchases.

Story continues below advertisement

The the OPC said the transfer of information to the United States without the customers’ knowledge was inconsistent with its obligations to obtain consent before disclosing personal information to third parties located in another country.

The privacy office said it has launched a consultation on cross-border transfers that will result in clarified obligations about obtaining valid consent and accountability for protecting the information. Written submissions are accepted until June 4.

“We know there are advantages to transborder data flows, but individuals ought to – and do, under the law – have a say in whether their personal information will be disclosed outside Canada,” Mr. Therrien said.

“Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.”

While Equifax Canada offered free credit monitoring to breach victims for at least four years, other protections didn’t match what was offered by the parent company, including credit freezes that restrict access to credit files.

“Canadians affected by the breach face the same risks, and it is unfortunate that Equifax Canada refused to offer a credit freeze option to affected Canadians,” Mr. Therrien added.

Report an error
Tickers mentioned in this story
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies