Good afternoon, Mr. Chair and members of Parliament. On behalf of Equifax Canada, I would like to thank you for the opportunity to join your committee today. I am here to provide you with current information on the recent cybersecurity incident and to answer your questions as best I can.
My name is John Russo. I am the chief privacy officer and corporate secretary at Equifax Canada. I have proudly worked at this Canadian corporation for the past 10 years. I am based in Toronto, where I have lived my entire life. I take great pride in the services that Equifax Canada offers Canadians from coast to coast to coast, as well as the work that we have undertaken with governments across the country to help strengthen privacy laws for individual Canadians.
I am joined by my colleague, Antonietta Di Napoli, director of global operations at Equifax Canada. While her involvement with the breach activity was limited, she has extensive experience in consumer-facing roles and will be able to provide excellent insight to our consumer practices and procedures.
Today I plan to address three topics. The first one is what happened when our parent company, Equifax U.S., was hacked by criminals and sensitive consumer information was stolen from its servers. Second, I will outline the remediation steps that Equifax Canada has taken to assist impacted Canadians. Third, I will discuss what Equifax Canada is doing today to help ensure this does not happen again, as well as outline what we are doing to empower consumers with greater control over their personal credit information.
However, before I cover any of these three topics, first and foremost I want to offer my sincere apology. On behalf of Equifax Canada and the entire Equifax organization, I apologize to all Canadians whose personal information was compromised. Being a trusted steward of information has long been one of Equifax’s core principles, so we were devastated when this happened. I can assure you that in the months and years leading up to this incident, Equifax U.S. did not take data protection lightly. In fact, it has invested aggressively, particularly over the past five years, in security and network resilience. Nevertheless, the cyber-attack and breach occurred and information was stolen by criminals. We accept full responsibility and are accountable for both the incident and the impact it has had on all Canadians.
First and foremost, the question on your mind is, what happened?
We now know that criminals executed a major cyber-attack on our parent company, Equifax U.S. In addition to accessing information on millions of Americans, they were able to access information on approximately 19,000 Canadians. The information accessed included data such as names, addresses, dates of birth, and social insurance and credit card numbers. For your reference, I will provide a brief overview of what happened through a chronology of events.
On Friday, July 29, our parent company’s security department in the United States observed suspicious network traffic associated with a U.S. consumer-facing website. In response, the Equifax U.S. security department blocked the suspicious traffic that was identified. The department continued to monitor network traffic and observed additional suspicious activity on Saturday, July 30. In response, they took the web application completely off-line that day.
The criminal hack was over, but the work to determine the nature, scope, and more importantly the impact of it was just beginning. It was not known at that time that personal information had been stolen. On August 2, Equifax U.S. engaged an independent cybersecurity firm to investigate the suspicious activity and contacted the FBI.
Over the next several weeks, Equifax U.S. and the cybersecurity firm worked around the clock seeking to identify what had happened.
On September 7, Equifax U.S. issued a news release announcing the cybersecurity incident and referencing that it had identified unauthorized access to limited personal information for certain Canadian consumers. At that time, there were no additional details on the number of impacted Canadians or the specific data that was compromised.
On how we communicated with Canadians, as the chief privacy officer of Equifax Canada, I first found out about the cybersecurity incident and its potential Canadian impact moments before the news release on September 7. I immediately took steps to notify both federal and provincial regulators, and by September 8, I had communicated with the appropriate privacy commissioners, including the Office of the Privacy Commissioner of Canada and consumer reporting regulators across the country.
Equifax Canada also retained Ms. Chantal Bernier, former interim privacy commissioner of Canada, now counsel in the global privacy and cybersecurity group at Dentons. We wanted to meet the highest level of compliance in breach response and transparency with Canadians and regulators alike. While the independent cybersecurity firm worked to complete its investigation and provide Equifax Canada with details of impacted Canadians, we started to implement our plan to notify and assist all impacted Canadians.
We also updated our Canadian consumer website, Equifax.ca, to make it clear to all Canadians where they could go for answers. Additionally, we hired more personnel to staff our Canadian call centre, increased our call centre hours, and established a dedicated breach email address.
Then on September 19, Equifax Canada issued a news release to share the preliminary details we had received about the nature of the impact to Canadians as well as what the investigation had uncovered to date.
On October 2, Equifax U.S. issued a news release with updates, including the fact that approximately 8,000 Canadian consumers were impacted by the breach as well as an additional undetermined number of Canadians whose credit cards were compromised. Later that week, Equifax Canada received the data file containing information on the 8,000 individuals from Equifax U.S., and we reviewed it in order to construct a breach notification mailing list. We started to mail consumer notification letters in both official languages to impacted Canadians on October 13.
The notification letters informed consumers of three key facts: first, that their data had been compromised; second, which specific personal information elements were compromised; and third, it outlined the details on how to activate their free 12-month subscription to Equifax Canada credit monitoring and identity theft protection.
On November 10, Equifax determined that the number of Canadians with compromised credit cards in addition to other personal information was approximately 11,000, bringing the total number of impacted consumers in Canada to approximately 19,000. The additional 11,000 consumers have been notified by mail. Throughout this process, we continued to keep our regulators apprised and updated our Canadian consumer website regularly to include new information.
What are we doing to protect impacted Canadians? Like our parent company in the U.S., Equifax Canada is extending a full range of protection to impacted Canadians free of charge for 12 months. This protection includes daily credit monitoring with alerts informing consumers of key changes to their Equifax credit report. Second, we’re offering daily access to their Equifax credit report and score. Third is Internet scanning with alerts, so if we find their SIN or credit card numbers being used on suspicious websites, we can also alert consumers. Fourth, we're offering up to $50,000 of identity theft insurance to assist affected consumers with out-of-pocket expenses.
Impacted consumers received an activation code in their notification letters, which they can use to activate the services online. Alternatively, they can call into our Canadian call centre to receive personal one-on-one assistance.
Here's what we're doing to help ensure this doesn’t happen again. As I mentioned earlier, as soon as the intrusion was discovered, our parent company, Equifax Inc, started a forensic investigation regarding the attacker activity. That investigation is now complete, and we understand what occurred and the extent of the intrusion. Equifax Inc. took steps to fix vulnerabilities, and has undertaken multiple other short-term and long-term initiatives to protect the consumer data that has been entrusted to it.
It has undertaken a revisit of its entire IT and data security practice. It is further hardening networks, changing procedures to require confirmation when software patches are applied, rolling out new vulnerability detection tools, and strengthening accountability mechanisms. It has also engaged industry experts PwC and Mandiant to assist with the global security program, including strategic remediation and transformation initiatives that will help to identify and implement solutions to strengthen our long-term data protection and cybersecurity defences.
Finally, we have committed to working proactively with the entire industry to develop solutions to the growing cybersecurity and data protection challenges we all face. We see this breach as a turning point not just for Equifax but for everyone interested in protecting personal information.
You may have heard Equifax Inc.'s interim CEO share plans to launch a new consumer service that will enable consumers to lock and unlock their credit file at will, free of charge, and for life, through a mobile interface. That product is scheduled to launch in the U.S. in January. We are working to bring similar functionality to Canadians as soon as possible in the new year to ensure that Canadian consumers will have the same control over their credit information as do their American counterparts.
In closing, on behalf of the entire Equifax Canada team, I would again like to express my sincere apologies to all Canadians. While we have taken steps to protect impacted Canadians, we understand that Canadians across the country were upset by the news that Equifax Inc. suffered a cybersecurity breach, which in turn impacted Canadians’ personal information. Many Canadians, whether they were personally affected or not, expressed their concerns and fears to me personally, to my organization, to the media, and to elected officials. I share their concerns, as does my organization. We at Equifax Canada are truly committed to doing everything in our power to win back their confidence and trust.
Ms. Di Napoli and I welcome any questions you may have at this time.
I'm replacing one of my colleagues today.
After what I've heard, I would like to ask a few questions.
I am amazed just to what extent Equifax's reputation is being eroded by this breach. With all due respect, I must say that your answers do not enlighten me enough.
I have several questions for you, but there is one in particular that has been on my mind for a while.
In the wake of the Equifax breach in the United States, has Equifax Canada, which protects Canadians on this side of the border, put in place a much greater form of protection against this kind of fraud?
And, as everyone knows, when there is a problem like fraud, for example, or when someone steals their identity, it's also the consumer's reputation that is tarnished. Have you looked at this issue and have you provided for compensation? It took you a long time to discover the breach. Here in Canada, we had a press release in September.
Lastly, did you plan to rectify this type of situation, which could have happened if one of your Canadian consumers had their identity stolen somewhere between the time of the fraud and your reaction?
Thank you very much for those two questions.
In regard to what we're doing here in Canada, as I mentioned, we've retained globally PwC and Mandiant to work with all the Equifax entities. We have 24 companies across the world, and we're working with them.
In terms of the closed-loop confirmation that I mentioned earlier, where we not only issue the order to patch, but we also receive confirmation that it was patched, that's in place. I mentioned in my opening statement that it used to take 48 hours to put such patches in place. That has been decreased to 24 hours or less, in terms of what we're doing globally.
We're also refining any existing industry best practices, procedures, and standards. We want to be above industry best practices. I didn't mention that the chief security officer now reports to our interim CEO, so the corporate governance structure has changed at Equifax in terms of accountability. We're centralizing that security rather than having a decentralized system country by country. We're working with all those individuals. We've appointed a chief transformation officer as well to get some better transparency from a security and IT perspective not only in Canada but also globally, so that this incident won't occur in the U.S., in Canada, in Argentina, or anywhere else we operate.
In regard to your second question, on the reputations of affected consumers, Toni's team works individually case by case with each individual consumer. We have call centre representatives who are able to alleviate any consumer concerns or frustrations in terms of walking them through what has transpired, if anything, with their information. We have protections in place that have been used in incidents a lot larger than ours to afford Canadians protection. Again, our number one priority is the Canadian consumer. I've heard from neighbours, friends, family. This affects everybody's reputation. We have 10,000 employees globally. It affects them as dearly as it does the Canadians who were impacted.
At the same time, we want to ensure that Canadians are afforded the best protections there are in the market, based on the regulatory situations in each country. There's a different regulatory situation in the U.S. from that in Canada. We want to make sure we apply those to each country individually to best represent those individuals.