TORONTO — Equifax Canada is facing intensifying pressure for transparency about its massive cyberhack as the Canadian Automobile Association informed thousands of its members that their data may have been compromised and frustrated consumers asked questions about why they’re being treated worse than their U.S. counterparts.
CAA said Thursday it partnered with Equifax on its identity protection program and was notifying the roughly 10,000 members who participated that they may have had sensitive data impacted in the security breach made public last week.
The program required members to register their personal information such as credit cards, banking information and email address, with the option of providing a social insurance number.
It appears that the sensitive information of CAA members who signed up for the identity protection program was stored with Equifax USA, said Ian Jack, CAA managing director of communications and government relations.
“Equifax has not been forthcoming with information to us despite our repeated requests,” he said.
The identity protection program began in March 2015 and was terminated on July 1, weeks before Equifax discovered the hack on July 29.
Jack said the CAA has been trying since the first reports of the Equifax breach surfaced to determine if it affects any of the approximately 10,000 CAA members who signed up for the program and is writing Canada’s privacy commissioner to express concern and ask that they push Equifax to provide more information to Canadians.
“We value our members’ privacy. Our contract with Equifax explicitly said customer data would be governed by Canada’s privacy law, PIPEDA, and we chose them as a partner because of their then high reputation. CAA did not handle or retain any of the information provided to Equifax,” said Jack.
Equifax Canada did not respond to requests Thursday from The Canadian Press.
The development comes as Canadians who are worried they might be victims of the Equifax Inc. say they are being treated as an afterthought in the wake of one of the largest online data breaches in history.
Equifax Inc. said last Thursday that a security breach occurred over the summer that compromised the private information of up to 143 million Americans, along with a undisclosed number of Canadians.
But the company has not provided further details, including how many Canadians may have been exposed. However, Equifax Canada’s customer service agents have told callers that only Canadians who have had dealings in the United States are likely to have had their information compromised in the data breach. That includes those who have lived, worked or applied for credit south of the border.
The company has provided consumers in the U.S. with a website that shows whether they are at risk of identity theft and is allowing them to monitor their files for free for one year.
But the online database does not provide Canadians with accurate information because it is based on U.S. social security numbers. The Equifax Canada website says it costs $19.95 per month for the same monitoring service.
Toronto lawyer Frances Macklin said she is frustrated that Canadians are more in the dark than U.S. consumers and questioned why there isn’t a dedicated portal for consumers north of the border.
“We’re equally affected. Just because I don’t have a social security number, I don’t get access to information,” said the partner at Gowlings law firm. “I’m completely bewildered by that.”
Communications expert Warren Weeks believes Equifax could not have handled this issue in a worse way.
“We’re talking about the gateway to all of your financial information in your life,” said Weeks, owner of communications firm Weeks Media Group.
“And Canadians, in specific, don’t know if they’ve been targeted or not or they’ve been impacted or not? I think in 2017, that’s unacceptable.”
However, he added, it’s common for a Canadian subsidiary to be told to keep tight-lipped by its U.S. parent when issues arise.
Equifax may be under more regulatory pressure in the U.S. than in Canada, said Tamir Israel, a staff lawyer with the Canadian Internet Policy and Public Interest Clinic in Ottawa.
The U.S. has federal regulations in place that govern credit reporting companies such as Equifax, which outline both proper business practices and identity theft, Israel said.
“If they don’t deal with this issue appropriately, [that law] is likely to get expanded to address whatever shortcomings they had.”
In Canada, credit reporting agencies are regulated by individual provinces and territories, he added.
“Because of that mismatch, it falls through the cracks a little.”
Armina Ligaya and David Hodges, The Canadian Press