Evidence of meeting #81 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equifax.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Antonietta Di Napoli  Director, Global Operations, Equifax Canada Co.
John Russo  Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
Clerk of the Committee  Mr. Hugues La Rue

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

The allegations that it's a criminal activity come from you, not necessarily from the FBI, because you don't know who made the transaction. Are there any allegations that help could have been provided internally?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Yes, we continue our investigation with both the FBI and local law enforcement.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

That's not my question. I'm going to switch to English, because they don't get it.

Do you have any information regarding inside help on this hacking?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Do you mean an insider?

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Yes.

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

None. In our information, there is no indication that there was—

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

How about the supplier of the technology you use for your database?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

There are no facts substantiating that, Mr. Picard.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

What was the third party able to do that your security department wasn't able to do?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Could you repeat—

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

What was the third party and the FBI...when you referred to an outside third party to investigate—

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

It was Mandiant.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

What was their expertise that your security department obviously was not able to accomplish?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

In regard to our external forensic.... Mandiant, as well as PwC, were able to recreate the steps, the inquiries, that the criminals had exploited in terms of the hack, and they worked with our internal security department to uncover that information to get a clear picture of what had happened. In terms of remediation, we're working with Mandiant and PwC to come up with remediation steps so that this incident never happens again.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Your security department was not in a position to do the investigation itself.

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

They were in a position, on the guidance of counsel, King & Spalding, to retain an independent forensic expert, outside help, to help better investigate what had transpired.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

I have a question, but I guess my time is up.

4:15 p.m.

Conservative

The Chair Conservative Bob Zimmer

You have five seconds. Thank you, Mr. Picard.

Next up is a visitor to our committee, Ms. Boucher.

4:15 p.m.

Conservative

Sylvie Boucher Conservative Beauport—Côte-de-Beaupré—Île d’Orléans—Charlevoix, QC

Good afternoon. I'm very happy to be here.

This is really very interesting, and I will continue along the same lines as my colleagues.

I'm really surprised. We all know that Equifax still has a big impact on our respective credits. Let's talk more about Canada. There has been a breach in the system, and we are told that the files of 8,000 people have been hacked. Are you sure of that number? I think 8,000 people seems very low considering the number of Equifax clients.

Have you made sure that the alleged victims of this hacking have been informed, either by letter or by telephone?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

This is a correction. There are 19,000 impacted Canadians, not 8,000. Our core assets, our core consumer credit information, was not impacted nor affected, because it was not hacked. The reason the number is 18,000 to 19,000 is that these were individuals who had purchased a product online with their payment card processing with the U.S. that transaction. Our core commercial and consumer database was not affected at all. No other database outside of that U.S. consumer portal was.

We worked with the Office of the Privacy Commissioner to notify everybody in writing to make sure they were all advised. We didn't want to call or email because that's susceptible to phishing scams and people calling vulnerable people, elderly and youth. It was the best course of action to write to each Canadian. Maybe Antonietta can describe some of the consumer relations aspects to your question.

4:20 p.m.

Director, Global Operations, Equifax Canada Co.

Antonietta Di Napoli

Thank you very much for your question.

As Mr. Russo said, we did notify all Canadians via written mail, that being the method of communication that we were suggested to use. Each impacted consumer received a letter. The letter informed them of the actual security breach and what information was impacted.

There were different permutations that were possible. Some consumers may have had their names and their addresses impacted. For some other consumers, it may have been credit card information. Each consumer received the information that was compromised to them in that letter. Along with that was the protection that we were offering them for 12 months, as we specified, and how to activate that service along with how to communicate with Equifax should they have any additional questions.

4:20 p.m.

Conservative

Sylvie Boucher Conservative Beauport—Côte-de-Beaupré—Île d’Orléans—Charlevoix, QC

Earlier, you told Mr. Erskine Smith that you were offering one year of compensation.

That doesn't seem like much to me. If it is an indictable offence and the perpetrators wait for a year before committing the same type of fraud, using the information they already have, will you again compensate Canadians who have been victimized?

People have information in their hands. If, after a year, the information that criminals have stolen is used again—criminals don't necessarily think like us—have you planned to help Canadians who are victims of this fraud?

4:20 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

That's the reason we're following our U.S. counterpart in terms of the lock and unlock feature of the credit file that we're rolling out next year for all Canadians in addition to the credit monitoring, where you have alerts and triggers to notify you every time somebody has touched your file. I always say to clients and consumers that it's like a fingerprint. Any time anybody touches your file, they leave a fingerprint. That's the monitoring.

The unlock and lock ability would give the consumer control over who accesses their credit file. Nobody would have access if you turn off that feature, and then, when you go for a loan at the bank, you could turn it back on. You control your personal information as a consumer. That's why we're proactively looking to launch that in Canada in the new year. That affords consumers protections, as well as the alert, as I mentioned, that stays on your file for six years that notifies any credit granter who accesses your credit information that you've been impacted, and you want them to call you at a certain number, perhaps your mobile telephone, before granting credit. Those are all steps that a consumer can take to be vigilant to look out for identity thieves.

4:20 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Madam Boucher.

Next up is Ms. Fortier.

December 4th, 2017 / 4:20 p.m.

Liberal

Mona Fortier Liberal Ottawa—Vanier, ON

Thank you for taking the time to appear today and answer our questions.

Honestly, this is an issue, as I'm sure we can all appreciate and see in front of us, that affects every Canadian in this country. You mentioned it in your opening remarks. As many of us around this table are also keenly aware, credit scores and credit rates are very confusing and stressful to our constituents, and they rely in large part on services such as yours to get the information that they need. For many in my riding, and especially those who may not have extra funds, this breach was very personal and very troubling.

My concern lies with what happens moving forward. I know you mentioned in your brief and again here that this information was stolen by criminals. I'm wondering how it is you plan on monitoring where this information ultimately ends up. Have you contracted security firms to try to reacquire it or at least locate who may have stolen this information?