TORONTO -- Equifax Canada says approximately 100,000 Canadian consumers may have had their personal information and credit card details compromised in the massive cyberattack on the credit data company made public earlier this month.
The company said Tuesday the investigation is ongoing and it appears that the breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.
"We apologize to Canadian consumers who have been impacted by this incident," Lisa Nelson, president and general manager of Equifax Canada, said in a statement.
"We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete."
Equifax Canada has provided information to MasterCard and VISA about Canadians whose credit card details may have been compromised, for communication to the financial institutions involved, the company said in an update on its Canadian website. The financial institutions will communicate the information with its clients, it added.
The company said Tuesday that hackers accessed Equifax Inc.'s systems through a consumer website application intended for use by U.S. consumers. The hackers obtained access to files containing the personal information of some Canadian consumers through the interface, Equifax Canada said.
"Equifax Canada can confirm that Canadian systems are not affected," the company said on its Canadian website. "We have found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases,". "Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S."
On Sept. 7, Equifax announced that on July 29 it discovered a data breach that may have compromised the personal information of 143 million Americans and an undisclosed number of Canadian and U.K. residents. The company said last week that fewer than 400,000 U.K. individuals may have had some of their personal information compromised, but the scope was more limited and unlikely to lead to identity theft.
But Equifax, which collects data about consumers' credit histories and provides credit checks to a variety of companies, had been tight-lipped about the impact of the cyberattack in Canada.
Canada's privacy watchdog announced last Friday that it was probing the data breach.
Equifax said Tuesday that it will be sending mailed notices directly to Canadians who have been impacted in the cyberhack outlining the steps they should take. It is also offering Canadians whose data was put at risk free credit monitoring and identity theft protection for the next 12 months, a service offered to U.S. residents on the day the cyberattack was first announced.
While the credit data company has set up a dedicated website where U.S. residents can check whether they have been affected, it is set up for American Social Security Numbers and does not work for Canadians.
The company is now facing investigations in Canada and the U.S. At least two proposed class actions have been filed in Canada and many more in the U.S. against Equifax in connection with the data breach.
The company's call centre staff in Canada have told callers that only Canadians that have credit files in the U.S. were likely to be impacted, such as individuals who may have lived or worked south of the border. But the Office of the Privacy Commissioner has said that, at this point, it is not clear that the affected data was limited to Canadians with U.S. dealings.
The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax "took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure." Last Friday, Equifax announced that its chief information officer and chief security officer were retiring, effective immediately.
Equifax's investigation thus far shows that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada says it is working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity conducting the ongoing investigation.