OTTAWA — Canada’s privacy commissioner says Equifax fell short of its privacy obligations to Canadians during and after a global data breach in 2017.
Privacy concerns included poor security safeguards, retaining information too long, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.
Commissioner Daniel Therrien says these exacerbated the impact of the breach, which affected more than 143 million people around the world, including 19,000 Canadians.
Equifax Canada and its U.S.-based parent company agreed to enter into a compliance agreement and has taken steps to improve their security, accountability and data destruction.
The breach occurred after hackers gained access to Equifax Inc.’s systems through a vulnerability the company had known about for more than two months, but had not fixed.
While Equifax Canada offered free credit monitoring to breach victims for at least four years, other protections didn’t match what was offered by the parent company, including credit freezes that restrict access to credit files.
The privacy commissioner also found that the transfer of information about Canadians to the U.S. without their knowledge was inconsistent with its obligations to obtain consent before disclosing personal information to third parties located in another country.