Evidence of meeting #81 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equifax.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Antonietta Di Napoli  Director, Global Operations, Equifax Canada Co.
John Russo  Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
Clerk of the Committee  Mr. Hugues La Rue

December 4th, 2017 / 3:30 p.m.

Conservative

The Chair Conservative Bob Zimmer

I call to order the Standing Committee on Access to Information, Privacy and Ethics, 42nd Parliament, first session, meeting number 81.

Pursuant to Standing Order 108(3)(h)(vii), we are holding a briefing with Equifax Canada.

We have John Russo, and....

I really want you to pronounce your name before I try.

3:30 p.m.

Antonietta Di Napoli Director, Global Operations, Equifax Canada Co.

It is Antonietta Di Napoli.

3:30 p.m.

Conservative

The Chair Conservative Bob Zimmer

Ms. Di Napoli, that's a very nice name.

Before we start, I want to say by way of preface that one of my first roles as chair was to visit the Equifax hearings in the United States in which we heard that 145.5 million Americans had had their security breached. At the time, there were citations that the data for as many as 100,000 Canadians had been breached. Recently, your company has released that it's closer to 19,000 Canadians whose information was breached.

It is a concern to Canadians, as it was to Americans, that the breach occurred to 19,000 Canadians. By the end of this committee, we'd like to know that Equifax has fixed the software program problem that was present in the U.S. and that the measures you saw will never happen again. I would just like to open with that.

Go ahead, Mr. Russo.

3:30 p.m.

John Russo Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

Good afternoon, Mr. Chair and members of Parliament. On behalf of Equifax Canada, I would like to thank you for the opportunity to join your committee today. I am here to provide you with current information on the recent cybersecurity incident and to answer your questions as best I can.

My name is John Russo. I am the chief privacy officer and corporate secretary at Equifax Canada. I have proudly worked at this Canadian corporation for the past 10 years. I am based in Toronto, where I have lived my entire life. I take great pride in the services that Equifax Canada offers Canadians from coast to coast to coast, as well as the work that we have undertaken with governments across the country to help strengthen privacy laws for individual Canadians.

I am joined by my colleague, Antonietta Di Napoli, director of global operations at Equifax Canada. While her involvement with the breach activity was limited, she has extensive experience in consumer-facing roles and will be able to provide excellent insight to our consumer practices and procedures.

Today I plan to address three topics. The first one is what happened when our parent company, Equifax U.S., was hacked by criminals and sensitive consumer information was stolen from its servers. Second, I will outline the remediation steps that Equifax Canada has taken to assist impacted Canadians. Third, I will discuss what Equifax Canada is doing today to help ensure this does not happen again, as well as outline what we are doing to empower consumers with greater control over their personal credit information.

However, before I cover any of these three topics, first and foremost I want to offer my sincere apology. On behalf of Equifax Canada and the entire Equifax organization, I apologize to all Canadians whose personal information was compromised. Being a trusted steward of information has long been one of Equifax’s core principles, so we were devastated when this happened. I can assure you that in the months and years leading up to this incident, Equifax U.S. did not take data protection lightly. In fact, it has invested aggressively, particularly over the past five years, in security and network resilience. Nevertheless, the cyber-attack and breach occurred and information was stolen by criminals. We accept full responsibility and are accountable for both the incident and the impact it has had on all Canadians.

First and foremost, the question on your mind is, what happened?

We now know that criminals executed a major cyber-attack on our parent company, Equifax U.S. In addition to accessing information on millions of Americans, they were able to access information on approximately 19,000 Canadians. The information accessed included data such as names, addresses, dates of birth, and social insurance and credit card numbers. For your reference, I will provide a brief overview of what happened through a chronology of events.

On Friday, July 29, our parent company’s security department in the United States observed suspicious network traffic associated with a U.S. consumer-facing website. In response, the Equifax U.S. security department blocked the suspicious traffic that was identified. The department continued to monitor network traffic and observed additional suspicious activity on Saturday, July 30. In response, they took the web application completely off-line that day.

The criminal hack was over, but the work to determine the nature, scope, and more importantly the impact of it was just beginning. It was not known at that time that personal information had been stolen. On August 2, Equifax U.S. engaged an independent cybersecurity firm to investigate the suspicious activity and contacted the FBI.

Over the next several weeks, Equifax U.S. and the cybersecurity firm worked around the clock seeking to identify what had happened.

On September 7, Equifax U.S. issued a news release announcing the cybersecurity incident and referencing that it had identified unauthorized access to limited personal information for certain Canadian consumers. At that time, there were no additional details on the number of impacted Canadians or the specific data that was compromised.

On how we communicated with Canadians, as the chief privacy officer of Equifax Canada, I first found out about the cybersecurity incident and its potential Canadian impact moments before the news release on September 7. I immediately took steps to notify both federal and provincial regulators, and by September 8, I had communicated with the appropriate privacy commissioners, including the Office of the Privacy Commissioner of Canada and consumer reporting regulators across the country.

Equifax Canada also retained Ms. Chantal Bernier, former interim privacy commissioner of Canada, now counsel in the global privacy and cybersecurity group at Dentons. We wanted to meet the highest level of compliance in breach response and transparency with Canadians and regulators alike. While the independent cybersecurity firm worked to complete its investigation and provide Equifax Canada with details of impacted Canadians, we started to implement our plan to notify and assist all impacted Canadians.

We also updated our Canadian consumer website, Equifax.ca, to make it clear to all Canadians where they could go for answers. Additionally, we hired more personnel to staff our Canadian call centre, increased our call centre hours, and established a dedicated breach email address.

Then on September 19, Equifax Canada issued a news release to share the preliminary details we had received about the nature of the impact to Canadians as well as what the investigation had uncovered to date.

On October 2, Equifax U.S. issued a news release with updates, including the fact that approximately 8,000 Canadian consumers were impacted by the breach as well as an additional undetermined number of Canadians whose credit cards were compromised. Later that week, Equifax Canada received the data file containing information on the 8,000 individuals from Equifax U.S., and we reviewed it in order to construct a breach notification mailing list. We started to mail consumer notification letters in both official languages to impacted Canadians on October 13.

The notification letters informed consumers of three key facts: first, that their data had been compromised; second, which specific personal information elements were compromised; and third, it outlined the details on how to activate their free 12-month subscription to Equifax Canada credit monitoring and identity theft protection.

On November 10, Equifax determined that the number of Canadians with compromised credit cards in addition to other personal information was approximately 11,000, bringing the total number of impacted consumers in Canada to approximately 19,000. The additional 11,000 consumers have been notified by mail. Throughout this process, we continued to keep our regulators apprised and updated our Canadian consumer website regularly to include new information.

What are we doing to protect impacted Canadians? Like our parent company in the U.S., Equifax Canada is extending a full range of protection to impacted Canadians free of charge for 12 months. This protection includes daily credit monitoring with alerts informing consumers of key changes to their Equifax credit report. Second, we’re offering daily access to their Equifax credit report and score. Third is Internet scanning with alerts, so if we find their SIN or credit card numbers being used on suspicious websites, we can also alert consumers. Fourth, we're offering up to $50,000 of identity theft insurance to assist affected consumers with out-of-pocket expenses.

Impacted consumers received an activation code in their notification letters, which they can use to activate the services online. Alternatively, they can call into our Canadian call centre to receive personal one-on-one assistance.

Here's what we're doing to help ensure this doesn’t happen again. As I mentioned earlier, as soon as the intrusion was discovered, our parent company, Equifax Inc, started a forensic investigation regarding the attacker activity. That investigation is now complete, and we understand what occurred and the extent of the intrusion. Equifax Inc. took steps to fix vulnerabilities, and has undertaken multiple other short-term and long-term initiatives to protect the consumer data that has been entrusted to it.

It has undertaken a revisit of its entire IT and data security practice. It is further hardening networks, changing procedures to require confirmation when software patches are applied, rolling out new vulnerability detection tools, and strengthening accountability mechanisms. It has also engaged industry experts PwC and Mandiant to assist with the global security program, including strategic remediation and transformation initiatives that will help to identify and implement solutions to strengthen our long-term data protection and cybersecurity defences.

Finally, we have committed to working proactively with the entire industry to develop solutions to the growing cybersecurity and data protection challenges we all face. We see this breach as a turning point not just for Equifax but for everyone interested in protecting personal information.

You may have heard Equifax Inc.'s interim CEO share plans to launch a new consumer service that will enable consumers to lock and unlock their credit file at will, free of charge, and for life, through a mobile interface. That product is scheduled to launch in the U.S. in January. We are working to bring similar functionality to Canadians as soon as possible in the new year to ensure that Canadian consumers will have the same control over their credit information as do their American counterparts.

In closing, on behalf of the entire Equifax Canada team, I would again like to express my sincere apologies to all Canadians. While we have taken steps to protect impacted Canadians, we understand that Canadians across the country were upset by the news that Equifax Inc. suffered a cybersecurity breach, which in turn impacted Canadians’ personal information. Many Canadians, whether they were personally affected or not, expressed their concerns and fears to me personally, to my organization, to the media, and to elected officials. I share their concerns, as does my organization. We at Equifax Canada are truly committed to doing everything in our power to win back their confidence and trust.

Thank you.

Ms. Di Napoli and I welcome any questions you may have at this time.

3:45 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Russo.

Just for clarity, for the committee's sake, questions can go until approximately 5:15 pm. We have a motion that's going to be brought before committee at the end of that time, and then we have some committee business as well. We can eat into that if we have questions that are still forthcoming, but that's the agenda I would pursue.

First off, for seven minutes, we have Mr. Erskine-Smith.

3:45 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

At the outset, I would say that Equifax and other agencies similar to Equifax are effectively turning a private profit through providing a public good. The sheer number of Canadians and Americans who have had their data compromised is shocking.

I have a clarification question at the outset. You mentioned 19,000 Canadians. Are those only Canadians living in the United States?

3:45 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

No, those are Canadians residing in Canada.

3:45 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Do you have numbers for Canadians living in the United States?

3:45 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I don't have those numbers at this time.

3:45 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Shouldn't you have those numbers?

3:45 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I'd be happy to provide them to you in writing.

3:45 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

It's interesting. In preparation for today, one would think you would have provided those numbers, but it would be great for you to provide those numbers in writing.

You provided a timeline for us, but as you well know—and I know because I attended the Equifax hearing before Congress—the timeline is extraordinarily incomplete. You don't mention at all what occurred in March.

Perhaps you could explain to this committee and to the Canadian public that the Department of Homeland Security did provide a warning in March. Perhaps you could provide some information about the steps that Equifax Inc. took to respond to that warning, and whether you think those steps were sufficient.

3:45 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Sure. The timeline in the U.S. began on March 9. Equifax disseminated the US-CERT notification, as you mentioned, internally by email, requesting that applicable personnel responsible for an Apache Struts installation upgrade their software. Consistent with our patching policy, the Equifax security department required that patching occur within a 48-hour period of time.

3:45 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

What was the follow-up with DHS? DHS warned you on March 8 or March 9. I understand that there was an internal request that the software be upgraded, that the patch be run. The security department ran scans that did not find the same vulnerability that DHS found. What was the follow-up with DHS?

3:45 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

On March 15 our security department also ran scans, as you mentioned, that should have identified the systems that were vulnerable to the Apache Struts.

3:50 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Subsequent to that, what was the follow-up with DHS? A security agency, perhaps one of the most important security agencies, says to Equifax, “You have a vulnerability that could affect millions of Americans.” Your security officials run a program and don't find anything. I'm wondering if there was any communication after that with DHS to say, “We ran this and there are no problems. What did you find that we didn't find?”

3:50 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I'm here in my capacity as a chief privacy officer in Canada. I wouldn't be privy to those discussions or any of the discussions that were had in relation to that.

3:50 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Perhaps you could request that information and follow up in writing to this committee on any follow-up communication with DHS from Equifax's point of view. It occurs to me that if DHS came to my company and said that I have a massive data vulnerability, and I ran my own search and didn't find anything, I would certainly want to be communicating with DHS to let them know I didn't find anything and to ensure that they have followed up on that.

As well, May 13 isn't in your notes, but May 13, as I understand it, is when the hackers first accessed the information. It was between May 13 and the end of July that the hackers had access to the Equifax system. Is that right?

3:50 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

That's correct. It was between May 13 and July 30.

3:50 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

We have just finished a study on protecting Canadians' personal information. We're in the midst of making recommendations. A number of witnesses who came before us testified to the importance of encryption. It is astounding to me that over 145 million Americans and 19,000 Canadians had their information compromised, that it was that easy to get into a system. The information wasn't encrypted. Perhaps you could explain why there weren't sufficient encryption practices.

3:50 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

The standards we had in place in the U.S. were best-in-class standards. They were recognized industry practice. It wasn't like industry practice wasn't followed. In this case, as a result of human error and IT error, the vulnerability occurred and the hackers got in.

3:50 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I expect you don't have an answer to this today, but perhaps you could follow up in writing as well. On a going-forward basis to ensure that something like this never happens again—that was the third point you made before us, and I appreciate that—could you explain to this committee what steps you are taking to strengthen your encryption practices?

3:50 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Sure. In Canada our information is encrypted and tokenized. We're PCI compliant and we follow the security standards.

Going back to the vulnerabilities that occurred, we're having closed-loop confirmation. In basic terms, we're not only issuing the order to patch but now we're also receiving confirmation, closing that loop that it has been patched.

3:50 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

It's great to see that you have some measures, including providing for the next 12 months up to $50,000 in insurance for identity theft. There's no guarantee that identity theft happens over that period of 12 months, and Equifax has quite clearly been negligent in this case with people's data. Are you committed to ensuring that all Canadians are made whole as a result of any identity theft that is a consequence of Equifax's negligence?

3:50 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

For the impacted 19,000 or so, we're offering our premier credit monitoring, a product that's been used in other major breaches in Canada, Home Depot being one of them. That's offered free for 12 months for all consumers impacted. For other consumers who are worried or afraid, they can put an alert on their file. They can come to Equifax. We're offering it free of charge.