Skip to main content

A security breach that allowed criminals to gain access to 1,400 confidential credit files at Equifax Canada was a crime waiting to happen, the president of Consumer Federation Canada says.

"This could have been prevented," said Dan Barnabic, whose non-profit consumer advocacy group is lobbying the government to tighten regulations covering credit-reporting agencies.

Mr. Barnabic said that to access the credit reports at a credit-reporting agency such as Equifax, all a criminal needs to do is set up a front operation.

Story continues below advertisement

"You open up a business. Register it. Get your licence and get Bell Canada to put a phone in, in your company's name. Then you have all the accreditation you need. You register as a credit-granting business, like a mortgage company, and for a small fee you can start getting files.

"You can get credit information on just about anybody you want. You just need a name and address for someone to request their credit report.

"And with their credit report you get everything -- social insurance number, how much they've paid, how much they owe. You see exactly what someone has . . . It's so easy to obtain, it's amazing."

Equifax told 1,400 consumers earlier this month that their credit reports "were accessed by criminals posing as legitimate credit grantors."

The company said alerts have since been placed on the affected files, so that potential creditors will confirm a consumer's identity before agreeing to a transaction.

Mr. Barnabic said credit grantors are required by law to get written permission from a consumer before they access credit records maintained by companies like Equifax, or TransUnion Canada, the other national credit reporting agency.

But he said credit-reporting agencies trust credit grantors to do what they are required, and usually don't do any further checks themselves.

Story continues below advertisement

"We don't know how this crime at Equifax was done," Mr. Barnabic said, "but my guess is, and I'm just speculating, that someone set up [phony]companies, became members [with Equifax]and just started requesting the credit files.

"If they got a dozen people, maybe more, that posed as credit grantors.. . . Now you are armed to get anyone's report, anywhere in Canada. Then you can pull credit reports on anybody . . . that's the scam. That's probably what they did.

"To get 1,400 files, it cost the criminals about $8,000 or $9,000" in access fees.

"It's amazing how easy it would have been. And it may happen again tomorrow in Toronto or Montreal. It's so easy that it's frightening."

Mr. Barnabic said he has been lobbying the federal government and the government of Ontario to bring in regulations that will make that sort of crime harder to commit.

"There are probably thousands of companies that are pulling files without notifying the consumer," he said. "It could be stopped and it should be stopped."

Story continues below advertisement

Mr. Barnabic said government officials are aware of his concerns and he's hopeful some new regulations may be coming.

The Equifax case, he said, underscores the need for prompt action.

Rosaleen Citron, president of WhiteHat Security, a company that specializes in protecting electronic data, said while it's not clear yet what happened, the incident is one of the most serious database attacks to happen in Canada.

"We just don't know enough facts, whether this was electronic or physical, or both. You know, was somebody fronting as a proper credit authority or did somebody get into a credit authority and steal their passwords into that [Equifax]system?

"But either way, this is very serious," she said. "There was a lot of effort put into this. They didn't do it for fun. They were out to make money."

The RCMP is investigating the Equifax incident. In a statement, Sergeant John Ward, the force's media spokesman in British Columbia, said the investigation is continuing. He said each person whose credit reports were accessed has been notified by the company.

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

If your comment doesn't appear immediately it has been sent to a member of our moderation team for review

Read our community guidelines here

Discussion loading…

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.