Life / Money

Equifax data hack attracts attention of class-action lawyers and privacy watchdog

This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)

This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)

MONTREAL — A large-scale security breach at credit monitoring company Equifax has already attracted the attention of Canadian class-action lawyers and the country's privacy commissioner as the fallout from the massive hack gathered momentum Friday and thrust corporate concerns about cybersecurity into the spotlight.

Several class-action law firms are circling after the Atlanta-headquartered company revealed on Thursday that it was the victim of a cyberattack during the summer that exposed the personal information of 143 million Americans and an unspecified number of Canadians.

In the U.S., the theft includes consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driver's licence numbers.

And yet Equifax Canada is remaining largely mum, declining to provide details about how many Canadians were affected or the data that was stolen. It said Friday it had no information to add to what its U.S. parent announced.

Cyber security expert Bob Hudyma said Equifax is being tight-lipped because it is concerned about lawsuits.

"There's no doubt that their legal department has been very, very busy in insuring that they maintain the strongest possible position in these unfortunate circumstances," said Hudyma, who works at Ryerson University's Ted Rogers School of Information Technology Management.

Class-action lawyer Tony Merchant of the Merchant Law Group said he filed a claim in Saskatchewan and plans to follow with lawsuits next week in Ontario, Quebec and elsewhere in the country.

"This is not only the largest loss of data but it's profoundly significant because they were collectors of a variety of pieces of financial information about people," Merchant said.

Many Canadians affected have likely never even heard of the company, he added. 

"So it's even more worrisome because people who may be the subject of identity theft and wrongdoing aren't even thinking 'I should be checking on this'."

The Office of Privacy Commissioner of Canada has asked Equifax to provide a full report on its security breach, including details on how Canadians were affected.

The agency reached out to the company Friday after it received complaints about the hack.

"Given the potential sensitivity of the information, we expect that Equifax will adopt measures to help affected individuals," spokeswoman Valerie Lawton wrote in an email.

Several businesses — including telecom provider Bell Canada and affair-seekers website Ashley Madison — have been stung by breaches in recent years.

Prior to the Equifax release, the biggest hack on record involving Social Security numbers involved about 80 million people during a hack at health insurer Anthem Inc.

Yahoo currently holds the record for the biggest release of confidential information — it was targeted in at least two separate digital burglaries that affected more than one billion of its users' accounts throughout the world. However, it didn't release Social Security numbers or drivers' licence information.

The loss of data can be embarrassing for an organization and can cause headaches for customers whose personal or financial details are suddenly swirling in cyberspace.

Public Safety Minister Ralph Goodale said it's an area that need to be "refreshed" by government, but people also need to be very careful about distributing their own personal information such as social insurance numbers.

"Sometimes they seem to be very reluctant to provide information to a government agency but they'll send it to a commercial organization over the internet at the drop of a hat," he said.

Cybersecurity was a topic among bankers who attended a financial summit in Toronto last week.

Craig Jerusalim, a portfolio manager of Canadian equities at CIBC Asset Management, said more money has been spent by banks to protect against cyber threats.

"It's going to be a race between the thieves and the cyber experts to stay one step ahead of those thieves."

Equifax discovered its hack July 29, but waited until Thursday to warn consumers. It's not unusual for authorities to ask a company to delay public notice of a major hack so that investigators can pursue the perpetrators.

Shares of Equifax (NYSE:EFX) closed down 13.7 per cent to US$123.23 in heavy trading Friday.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,'' Equifax CEO Richard Smith said in a statement.

— With files from the Associated Press

Note to readers: This is a corrected story. A previous version stated Equifax revealed the security breach on Friday, when in fact it was Thursday.

More on Metronews.ca