A credit breach that affected 19,000 Canadians was exacerbated by unacceptable standards in data privacy.
The Privacy Commissioner of Canada says that Equifax Canada and its US parent firm failed to meet required levels of safeguarding of the personal data of Canadian consumers.
The data breach occurred in 2017, two months after Equifax Inc. became aware of a vulnerability, but which it had not fixed.
The Canadian customers impacted had purchased products such as credit reports, with transactions processed by the US parent.
However, Canadian customers were not offered a credit freeze option, something that was offered to US customers and they were unaware that their data had been transferred to the US.
Equifax Inc. and Equifax Canada fell short on several counts including retaining information too long; inadequate consent procedures; a lack of accountability for Canadians' information and limited protection measures offered to affected individuals after the breach.
"Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company's privacy and security practices," said Daniel Therrien, Privacy Commissioner of Canada.
6 years of monitoring
Equifax Canada and Equifax Inc. have since made changes to policies to ensure they meet acceptable standards and entered into a compliance agreement.
Equifax Canada is also to submit third-party audit reports on its own security and that of Equifax Inc. to the Office of the Privacy Commissioner Canada every two years for the next six years.
