In the wake of a massive cyber attack affecting credit-monitoring company Equifax Inc., Canadian consumers may want to set up a fraud alert on their credit reports.
In addition, consumers are being urged to monitor their online personal data and be more vigilant about what information they give out after the security breach at Equifax, the latest in a growing list of high-profile cyber attacks.
Experts say the breach, which the company says affected 143 million Americans and an unknown number of Canadians, is a reminder to consumers that their personal data is always at risk. Many companies are relying on the latest technology to boost their online security, but continue to struggle to stay ahead of cyber attackers.
"Our personal data is shared and circulated among many different organizations," says Robert Masse, partner, Cyber Risk Services at Deloitte Canada. "Unfortunately, the reality is that organizations are having difficulty dealing with the majority of threats out there – you have to assume that your data has already been compromised."
The Equifax security breach is significant for its size and because the company is in the business of collecting and monitoring consumer data. The Atlanta-based company, one of the Big Three credit bureaus in the U.S., said criminals exploited a U.S. website application to access files between mid-May and July.
The company said the information accessed primarily includes names, social security numbers, birth dates, addresses and some driver's license numbers.
"Criminals also accessed credit card numbers for approximately 209,000 U.S. consumers and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers," the company stated. Equifax also said there was "no evidence of unauthorized activity" on its consumer or commercial credit reporting databases, and that the "issue has been contained."
An Equifax Canada spokesperson declined to comment on Friday, saying in an e-mail that the company has "no further information to contribute at this point." The company is directing consumers to its website www.equifaxsecurity2017.com, where they can check if they've been affected by filling out a form using their last name and last six digits of their social security number or social insurance number for Canadians.
That process itself has raised eyebrows since the information required includes pieces of the same data Equifax is offering to protect. Until Nov. 21, Equifax is also offering consumers the option to enroll in its TrustedID Premier monitoring service free for one year.
Andrew Latham, digital content editor at SuperMoney, an American company that offers online personal finance tools, says he was affected by the Equifax breach and was planning to put a security freeze on his credit report, which prevents others from accessing his data to apply for credit cards or other credit accounts. (A security freeze is only available in the U.S.).
For consumers who can't put a credit freeze on their report, including Canadians, Mr. Latham recommends setting up an identity fraud alert. "This makes it so the credit bureaus have to check you are who you claim to be when you ask to see your credit reports," he says. "That's another level of security worth doing."
Mr. Latham also recommends consumers regularly monitor their bank and credit card statements for unauthorized transactions.
"The truth is, breaches like this happen all of the time," Mr. Latham says. "We need to be taking steps to protect our identity."
He also recommends consumers check services such as https://haveibeenpwned.com/, which shows consumers if their e-mail or username has been affected by a breach in the past.
"If your e-mail has been affected, definitely change your password," Mr. Latham says.
Mr. Masse of Deloitte says consumers should also be more careful about what information they give out online, especially when signing up for products or services where you don't pay anything.
"When you sign up for [some of] these websites … you're not a customer, you're a product," Mr. Masse says. "What you're trading as a product is your personal information … you have to think of the trade off."
In some cases, consumers have no choice but to provide personal data needed to set up accounts for essential services such as a phone, utilities and even paying taxes.
"It's not feasible to say, 'just don't give out your data,'" says Mr. Masse. "Once you give your information to organizations, you're at the mercy of their cyber security budget, their security posture and how they manage the data."
Editor's note: A previous version of this article incorrectly suggested that Canadians can put a "security freeze" on their credit reports. That service is only available in the U.S., according to customer service representatives at both TransUnion and Equifax.