Privacy Commissioner says priority given to examination of Equifax data hack

FILE: Equifax Logo (Wikimedia Commons, Fair Use)

OTTAWA — Canada’s Privacy Commissioner office says it has prioritized an examination into the massive Equifax data hack to ensure that Canadians are protected against future risks.

In a posting on its website, it says it plans to work with data protection authorities in Canada and elsewhere to find out what went wrong.

It says it has asked the credit monitoring company to tell Canadians as soon as possible if their information was stolen and to adopt measures to help them.

Equifax said last Thursday a security breach occurred over the summer resulting in the private information of up to 143 million people in the United States being compromised, along with certain Canadian and U.K. residents.

In a posting on the Canadian part of its website, Equifax says it is “working night and day to assess what happened.”

It says the data breach is “contained,” and the Canadian breach may have involved names, addresses and social insurance numbers.

Equifax says “only a limited number of Canadians may have been affected.”

It says a dedicated website and call centre set up last week won’t help Canadians because it uses U.S. social security numbers, without offering an alternative. The Privacy Commissioner suggested Canadians can call Equifax at 1-866-828-5961 (English service) or 1-877-323-2598 (French service).

Equifax discovered the hack July 29, but waited until Thursday to warn consumers.

An Ontario resident has started a proposed class action on behalf of Canadians who may have been affected by the hack.

The proposed class action includes all residents of Canada whose information was stored on Equifax databases and was accessed without authorization between May 1, 2017 and Aug. 1, 2017.

The statement of claim alleges Equifax breached its contract with class members as well as their privacy rights, was negligent in handling their information, and breached provincial privacy statutes.

Allegations in the statement of claim have not been proven in court.

In the United States, the theft included consumers’ names, Social Security numbers, birth dates, addresses and, in some cases, driver’s licence numbers.