A security breach that allowed criminals to gain access to 1,400 confidential credit files at Equifax Canada was a crime waiting to happen, the president of Consumer Federation Canada says.
"This could have been prevented," said Dan Barnabic, whose non-profit consumer advocacy group is lobbying the government to tighten regulations covering credit-reporting agencies.
Mr. Barnabic said that to access the credit reports at a credit-reporting agency such as Equifax, all a criminal needs to do is set up a front operation.
"You open up a business. Register it. Get your licence and get Bell Canada to put a phone in, in your company's name. Then you have all the accreditation you need. You register as a credit-granting business, like a mortgage company, and for a small fee you can start getting files.
"You can get credit information on just about anybody you want. You just need a name and address for someone to request their credit report.
"And with their credit report you get everything -- social insurance number, how much they've paid, how much they owe. You see exactly what someone has . . . It's so easy to obtain, it's amazing."
Equifax told 1,400 consumers earlier this month that their credit reports "were accessed by criminals posing as legitimate credit grantors."
The company said alerts have since been placed on the affected files, so that potential creditors will confirm a consumer's identity before agreeing to a transaction.
Mr. Barnabic said credit grantors are required by law to get written permission from a consumer before they access credit records maintained by companies like Equifax, or TransUnion Canada, the other national credit reporting agency.
But he said credit-reporting agencies trust credit grantors to do what they are required, and usually don't do any further checks themselves.
"We don't know how this crime at Equifax was done," Mr. Barnabic said, "but my guess is, and I'm just speculating, that someone set up [phony]companies, became members [with Equifax]and just started requesting the credit files.
"If they got a dozen people, maybe more, that posed as credit grantors.. . . Now you are armed to get anyone's report, anywhere in Canada. Then you can pull credit reports on anybody . . . that's the scam. That's probably what they did.
"To get 1,400 files, it cost the criminals about $8,000 or $9,000" in access fees.
"It's amazing how easy it would have been. And it may happen again tomorrow in Toronto or Montreal. It's so easy that it's frightening."
Mr. Barnabic said he has been lobbying the federal government and the government of Ontario to bring in regulations that will make that sort of crime harder to commit.
"There are probably thousands of companies that are pulling files without notifying the consumer," he said. "It could be stopped and it should be stopped."
Mr. Barnabic said government officials are aware of his concerns and he's hopeful some new regulations may be coming.
The Equifax case, he said, underscores the need for prompt action.
Rosaleen Citron, president of WhiteHat Security, a company that specializes in protecting electronic data, said while it's not clear yet what happened, the incident is one of the most serious database attacks to happen in Canada.
"We just don't know enough facts, whether this was electronic or physical, or both. You know, was somebody fronting as a proper credit authority or did somebody get into a credit authority and steal their passwords into that [Equifax]system?
"But either way, this is very serious," she said. "There was a lot of effort put into this. They didn't do it for fun. They were out to make money."
The RCMP is investigating the Equifax incident. In a statement, Sergeant John Ward, the force's media spokesman in British Columbia, said the investigation is continuing. He said each person whose credit reports were accessed has been notified by the company.