With regard to the impacted data, our core consumer and credit database, the daily transactions we do with banks, the information we sell to the banks, was not impacted at all here in Canada. Again, the 18,000 was with regard to payment, process, and data that resided in the U.S. where there was a transaction between a consumer and our U.S. merchant.
In terms of the timeline, I just want to clarify the Canadian portion of the records that were impacted came to light on or about September 4 or 5, with all the experts and everybody working around the clock. The Canadian pieces came to light late in the game, in the investigation. When we found out my timeline on the 7th, we notified all the appropriate commissioners. We contacted our clients. We did what we could from a Canadian perspective to best serve those Canadian constituents, and at the time we didn't even know how many there were. We worked with our incident response team and our leadership team in Canada to make sure we got the correct information, that we worked with our teams south of the border to ensure we had all the tools at our fingertips. Once we had that information, we provided the consumers with the protections in place, the monitoring they could subscribe to affording them protection of their identity, and you heard the features of that product.
To ensure this doesn't happen again, just to summarize, we've enhanced our vulnerability scanning, our patch management processes and procedures. We've reduced the scope of sensitive data retained in our back-end databases. We've also increased restrictions and controls for accessing data housed within critical databases. We've deployed additional web application firewalls. The list goes on in working with internal and external experts. It wasn't that we didn't have good systems in place, but we want to be better.