MPs give Equifax Canada's chief privacy officer a rough ride over data breach
Signage at the corporate headquarters of Equifax Inc. in Atlanta on July 21, 2012. (Mike Stewart/AP/THE CANADIAN PRESS)
Jim Bronskill , The Canadian Press
Published Monday, December 4, 2017 5:01PM EST
Last Updated Monday, December 4, 2017 7:34PM EST
OTTAWA -- MPs chastised an Equifax Canada executive Monday for not doing more to make amends to thousands of Canadians whose personal information was compromised by hackers.
John Russo, chief privacy officer for the Canadian branch of the global credit-reporting firm, faced a barrage of pointed questions at a House of Commons committee over how the breach happened and the adequacy of the company's response.
Russo unreservedly apologized for the lapse at Equifax's U.S. parent that affected 19,000 Canadians this year.
"Being a trusted steward of information has long been one of Equifax's core principles, so we were devastated when this happened," Russo told the Commons committee on information, privacy and ethics.
"I can assure you that in the months and years leading up to this incident, Equifax U.S. did not take data protection lightly. In fact, it has invested aggressively, particularly over the past five years, in security and network resilience. Nevertheless, a cyberattack and breach occurred, and information was stolen by criminals."
The breach included names, addresses and social insurance and credit card numbers, as well as usernames, passwords and secret question/secret answer data.
Hackers also accessed or stole the personal data of 145.5 million U.S. consumers and nearly 400,000 Britons in the breach, which was discovered July 29.
Equifax first notified the public of the breach on Sept. 7, though it says the unauthorized access is thought to have happened from mid-May through July.
Equifax has notified affected Canadians by mail -- making efforts to ensure it has up-to-date postal addresses -- and has offered them free credit monitoring and identity theft protection for one year.
The protection includes daily credit monitoring with alerts, daily access to personal Equifax credit reports and scores, Internet scanning of suspicious credit-card number and SIN use, and up to $50,000 of identity theft insurance to help affected people with out-of-pocket expenses.
Conservative MP Bob Zimmer, the committee chairman, said given that the effects of identity theft "can be life-changing," $50,000 seems insufficient to cover people.
"They might not be able to buy a house, they might not be able to have a car for many, many years," he said.
"I would challenge you to do the right thing and make sure that Canadians are made whole again if affected by this."
Liberal MP Brenda Shanahan questioned why the company would end full protection for the 19,000 Canadians after one year.
"It should be for life, Mr. Russo -- for life."
More than 1,600 Canadians have signed on for the complimentary protection services to date, and some who were notified more recently are likely to do so in coming days.
Russo said Equifax was eyeing the so-called dark web -- the shadowy, underground corners of the internet -- for "any suspicious traffic" linked to the compromised information.
Liberal MP Nathaniel Erskine-Smith asked Russo to follow up in writing about what the company was doing to monitor the dark web.
So far, Equifax says it has no complaints of fraudulent activity linked to the affected Canadians.
The committee has been studying Canada's private-sector privacy law, including the possibility of giving the privacy commissioner power to levy fines.
Russo insisted the company was taking steps to ensure such a breach never happens again. "We want to go above and beyond the industry standard."
Since the lapse, Equifax Canada has held regular meetings with the privacy commissioner's office and provincial counterparts, he added.