Information & Ethics Committee on Dec. 4th, 2017

Just to follow up on your question, it was only on July 29 that we noticed suspicious activity. In the March, April and May timeline, there was no evidence to Equifax that a breach had occurred. There was suspicious activity on July 29 and July 30, and we shut down the U.S. portal.

Yes. The warnings were to require that the patching occur and it didn't. For that, we're feeling repercussions worldwide.

Given our global security and the fact that we operate in 24 different countries, we want to make sure those are consistent. We don't want decentralized systems. We want to make sure that they're centralized, so that we have a consistent policy across the board. You wouldn't want one country to have a belt and another one to have a belt and suspenders.

We want to make sure those efforts...anything that's low vulnerability, we're now raising to medium. Anything that's medium, we're raising to high. We want to go above and beyond the industry standard. Again, this incident was a watershed moment for us and for the industry. We want to make sure it doesn't happen again.

I can speak for Canada in terms of...when I found out and when our leadership team found out on the evening of September 7, we took immediate proactive steps to make sure that all Canadian consumers.... That was our number one priority, Mr. Kent, that Canadian consumers were protected and notified. We had to obtain that data from our U.S. parent and that took time. There were over 11,000 files that our forensic experts were combing through and then, later on in the investigation, they narrowed it down to 28 files that contained Canadian data.

The Canadian part of it only came to light late in the investigation. Before the U.S. released that people had been impacted in the U.S., about September 4 or 5, the U.K. and Canadian data portions were identified. All they knew was that there were certain elements. We didn't know the scope. We didn't know what type of data, but once we had that information, the Canadian leadership team took over and were able to lead that charge here in this country.

No. In terms of the U.S. residents, if they had a U.S. social security number, then they would be treated in that 145 million. Those numbers are very small. I don't have those numbers today, but it's not a huge amount.

In terms of—

I appreciate your frustration.

In terms of the 18,000 or 19,000 Canadians, those were any Canadians who had a business to consumer relationship with Equifax. Anybody who purchased something online with Equifax and put in payment card details, since there's some personal information, those were the majority of the 19,000 that were compromised in Canada.

In terms of the timeline, July 29 and July 30 was when our security team in the U.S. noticed suspicious activity. At that time they didn't know there was a breach; they wouldn't even know there was personal information involved. That was on a U.S. online consumer dispute resolution portal. On August 2, Equifax Inc. contacted King & Spalding, retained them as outside counsel, and King & Spalding engaged Mandiant, a forensic expert, to perform that forensic investigation. As you can appreciate, with the 145 million U.S. citizens impacted, plus a certain number of Canadian and U.K. residents, there was a lot of data to comb through. They had to go back and query everything that the criminals had. Remember that this was a criminal hack. Again, the FBI was involved as well. There were a lot of moving parts, a lot of individuals involved, people working around the clock to get information and get the answers both the American and Canadian public wanted. Given the complexity, the number of files, the data they had to comb through was unstructured so it wasn't as if you were looking into neat files, and given the enormous volume, it took time to work through it.

As I mentioned earlier to Mr. Kent, the Canadian part of it came to light 48 hours before the announcement on September 7. Because the datasets were so enormous, it took time to make sure we did a complete, thorough investigation so we could identify each individual consumer, match them with a correct address so we weren't notifying a previous address, and it took time for the crisis incident response team, given the size of the breach, to be ready to respond to those consumers' questions, fears, concerns, and frustrations.

It wasn't because of the FBI. That was one part of it. With these breaches you also see copycat attacks. We knew that if anybody had made that announcement on whatever date it was made, we had to be ready for the copycat attacks and make sure all our systems worldwide were not as vulnerable as they were in March. That took enormous effort, involved everybody from legal, privacy, security, IT, all hands on deck. Again, given the enormity of those impacted, it did take 40 days or so to do that.

We facilitate protection for consumers, fraud protection, identity theft protection, and we have products on the market that have been used worldwide in giving consumers some peace of mind and protection of their identity when they want it. Again, we have free products like an alert, where you can put on your credit file to “please contact John Russo at this number before granting credit”. You alert everybody who's accessing your file that you want to be alerted before granting credit. We facilitate consumers in life events. When you apply for a mortgage, a new car, the house of your dreams, people come to us to be able to do that in an efficient and accurate way. Without that credit information, it would slow down the whole economic system in applying for credit. As you can imagine, the banks and the financial institutions want that easily, and they want to make sure it's correct information.

You're correct. Consumer consent and permissible purpose are two key elements under the Consumer Reporting Act. Without that, the institution that is trying to access an Equifax credit file could not. You need the consumer's consent, and you have to have one of the allocated permissible purposes under legislation to do so.

The information they're providing is to better serve consumers, so that they're getting the best rates possible and getting credit that allows them to take part in those life events and engage in commercial transactions in Canada.