Canada's privacy watchdog said Friday it has opened an investigation into the massive Equifax Inc. data breach after receiving several complaints and dozens of calls from concerned Canadians.
"The investigation is a priority for our office given the sensitivity of the personal information that Equifax holds," the Office of the Privacy Commissioner of Canada said in an announcement on its website.
It added the credit monitoring company will notify all impacted Canadians in writing as soon as possible. Equifax is used by many creditors to get reports on consumers' credit histories, which include information such as social insurance numbers, credit card numbers and home addresses.
Equifax said on Sept.7 that it was the victim of a massive cyberattack that may have compromised the personal data of as many as 143 million Americans and a limited number of Canadian and U.K. residents.
Canada's privacy watchdog first said on Tuesday that it was "prioritizing" an examination into Equifax's hack and would work with data protection authorities in Canada after news of the leak was made public, months after it first learned about the breach.
The watchdog said Tuesday it asked the credit monitoring company to tell Canadians as soon as possible if their information was stolen and to adopt measures to help them. However, in its update Friday it said that Equifax would not be calling individual consumers and warned about potential scam phone calls from those trying to take advantage of the breach.
It advised Canadians to hang up if anyone calls them claiming to be affiliated with Equifax, regardless of what the caller ID says.
On Friday, the company said fewer than 400,000 British consumer had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.
Equifax has yet to specify how many individuals in Canada were impacted. Equifax has not responded to multiple requests for comment.
The credit monitoring company's call centre staff have told callers that only Canadians that have credit files in the U.S. were likely to be impacted. However, the privacy commissioner said that at this point, it is not clear that the affected data was limited to Canadians with U.S. dealings.
Some consumers have expressed concern about the lack of information and communication about the breach, one of the largest online data breaches in history.
"The company was a victim of fraud and didn't alert its consumers," said Bethany Agnew-Americano, the lead plaintiff in a proposed class action filed in Ontario on Sept. 12.
She said the credit monitoring company makes money from offering identity theft protection and fraud alert services, and it needs to be held accountable.
The Canadian Automobile Association said Thursday it partnered with Equifax on its identity protection program and is notifying the roughly 10,000 members who participated that they may have had sensitive data divulged in the security breach made public last week. It said that it was writing to the privacy commissioner to ask that the office push Equifax to provide more information to Canadians, adding that "Equifax has not been forthcoming with information to us despite our repeated requests."
The privacy commissioner's office said that Equifax will also offer free credit monitoring to Canadians that are affected. Equifax also said Friday it is offering identity protection services to British consumers, similar to the program it had already been offering to Americans.
There have been at least two class actions filed on behalf of Canadians whose information was stored on Equifax databases, alleging Equifax breached its contract with class members as well as their privacy rights, was negligent in handling their information, and breached provincial privacy statutes.
Equifax identified a weakness in an open-source software package called Apache Struts as the technological crack that allowed hackers to heist Social Security numbers, birthdates, addresses and full legal names from a massive database maintained primarily for lenders.