American credit agency Equifax is to be monitored by the Office of the Privacy Commissioner of Canada (OPCC) for the next six years after a huge data breach of personal information at the firm back in 2017.
The OPCC released the results of its investigation this week, which found that up to 19,000 Canadians were affected by the data breach.
Equifax offers credit monitoring services and credit checks on behalf of lenders and other organizations.
Among the Canadian and American data that was obtained by hackers, including credit reports and payment card details – personal information and more than 209,000 consumers’ credit card credentials were also taken, while millions more had social insurance numbers, driver’s licence numbers or banking information stolen.
Worldwide, a total of 143 million people saw personal information exposed as a result of the breach of the Equifax systems.
The OPCC launched its investigation after a group of Canadians filed complaints with his office after the breach was first made public.
In its findings, the OPCC found poor security safeguards, the retention of information for too long after it was used to verify a person’s credit history, inadequate consent procedures, a lack of accountability for information and limited protection measures offered to affected customers.
Daniel Therrien, privacy commissioner of Canada, said: “Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices.
“In the end, the company did agree to enter into a compliance agreement, which demonstrates its commitment to addressing many of our concerns, and making privacy a priority.”
During its investigation, the OPCC found that the information of Canadians affected was exposed because those individuals had obtained products, such as credit monitoring or fraud alerts, from the American company’s Canadian subsidiary, Equifax Canada.
Once information obtained in Canada was in Equifax’s American systems, gaps in security protocols left the Canadian information improperly protected, with the hackers able to exploit this vulnerability. Equifax first notified the public of the data breach on September 7th 2017, although it said the unauthorized access of its systems is thought to have happened between May and July of that year, with the Equifax security team interrupting the hack on July 29th.
The company has said it believes that hackers accessed Equifax Canada’s systems through a consumer website application intended for use by its US customers.
The OPCC is due to release an updated policy about corporate cross-border data handling.