Equifax hack likely affected only Canadians who have dealings in U.S.
This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)
Armina Ligaya and David Hodges, The Canadian Press
Published Thursday, September 14, 2017 7:56AM EDT
TORONTO -- Equifax Canada's customer service agents are telling callers that only Canadians who have had dealings in the United States are likely to be affected by the massive hack announced last week.
The credit monitoring company's call centre staff say that Canadians who have Equifax accounts in the U.S. could be at risk of having their data compromised, such as those who have lived, worked or applied for credit south of the border.
The Canadian Press made multiple calls as consumers to Equifax Canada's customer service line and were told that consumers whose credit files were not checked outside of Canada are unlikely to be part of any breach.
Equifax Canada did not immediately respond to requests for comment.
Equifax Inc. said last Thursday a security breach occurred over the summer that compromised the private information of up to 143 million Americans, along with an undisclosed number of Canadians. But the company has been tight-lipped about further details, including how many Canadians may have been exposed.
Equifax Canada's website says that "only a limited number of Canadians may have been affected" and "the breach is contained."
"We are working night and day to assess what happened," the credit monitoring company says on its Canadian website.
The Canadian breach may have impacted names, addresses and social insurance numbers, Equifax added.
Organizations that have been targeted by a hack will soon be required by law to provide detailed information to both affected consumers and the Privacy Commissioner of Canada, if changes to the Canada's Personal Information Protection and Electronic Documents Act go ahead as proposed.
As part of new mandatory data breach reporting requirements, organizations must notify individuals directly and provide specific information, such as the circumstances of the breach, the day or period when the breach occurred, and a description of the personal information that has been compromised. Canada's Department of Industry posted the proposed text of the new regulations on Canada Gazette on Sept. 2, for a 30-day public consultation.
Meanwhile, Canada's privacy commissioner has said it has prioritized an examination into the hack to ensure that Canadians' information are protected by future risks.
Canadian and American credit files must be kept separate due to differences in the various laws within the U.S. and Canada, according to the Equifax Canada website.
However, American companies can pull Canadians' files in Canada with consumers' permission, according to credit risk expert Mike Morley.
"Let's say you're a Canadian applying for a mortgage in the U.S. for your cottage... They will make a decision based on your Canadian credit information," Morley said.
That would generate a U.S. credit file for the consumer, he said.
Morley added that Canadians who live and work south of the border would have their credit history pulled in Canada in various situations, including when applying for a credit card, or even by a potential employer or landlord.
Equifax has set up a dedicated website, equifaxsecurity2017.com, and call centre to help consumers determine if their information has been compromised.
However, Canada's privacy watchdog says the website won't help Canadians because it uses U.S. social security numbers.
Instead, the privacy commissioner suggests that Canadians call Equifax at 1-866-828-5961 (English service) or 1-877-323-2598 (French service).
At least two proposed class action lawsuits have been started on behalf of Canadians who may have been affected by the hack.
Tony Merchant, the founder of Merchant Law Group, says he has filed proposed class actions on behalf of plaintiffs in British Columbia, Saskatchewan, Ontario and Quebec. The four plaintiffs checked their files on Equifax's American website -- which asks for last names and U.S. social security numbers -- and were told their data may have been divulged, he added.
Merchant's law firm, which has offices in Edmonton and Calgary, has seen more than 700 Canadians sign up to be part of the class action.
A spokeswoman for the Canadian Anti-Fraud Centre, which is the central agency in Canada that collects identification theft complaints and other related matters, said Wednesday it has not received any complaints in connection with the Equifax hack.