The Office of the Privacy Commissioner in Canada has concluded its report on Equifax Canada and the data breach from 2017, which affected 143 million accounts worldwide, including many Canadians, as hackers gained access to a vulnerably open for over two months.
The OPC says their investigation concludes both Equifax Canada and its U.S. parent company “fell far short of their privacy obligations to Canadians.”
The privacy failures included “poor security safeguards; retaining information too long; inadequate consent procedures; a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.”
The investigation found 19,000 Canadians were affected by the data breach; Equifax previously reported 100,000 accounts in Canada were impacted.
“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” says Daniel Therrien, Privacy Commissioner of Canada, in a statement.
Equifax Canada and its parent company will now have to submit third-party security audit reports to the OPC every two years, for the next six years, to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), federal privacy law.
“In the end, the company did agree to enter into a compliance agreement, which demonstrates its commitment to addressing many of our concerns, and making privacy a priority going forward,” added Therrien.
The OPC says Equifax Canada did not offer Canadians the same protections Americans did, such as free credit freezes, which prevents unauthorized access to credit files.
“Canadians affected by the breach face the same risks, and it is unfortunate that Equifax Canada refused to offer a credit freeze option to affected Canadians,” said the Commissioner.
Numerous complaints to the OPC saw Canadians note they were shocked to discover their information from Canada was sent to the U.S. for processing, without proper consent under the PIPEDA.