It’s been practically two weeks since the credit monitoring company Equifax admitted it had suffered one of the largest statistics breaches in recent memory — exposing the personal information of a whopping 143 million U.S. consumers.
In a assertion released Tuesday, the company finally confirmed approximately 100,000 Canadians were high-sounding too, with names, addresses, social insurance numbers (SIN) and, in limited specimens, credit card numbers among the personal information potentially accessed.
How did it come to pass? Here’s what we know so far, and what we don’t.
When did the company know around it?
Equifax has said that the breach occurred in mid-May, but that it contrariwise discovered intruders had compromised its systems on July 29 — nearly two months later. And for reasons that ends b body unclear, it took yet another month for the company to publicly disclose the hole.
However, Bloomberg reported on Monday that it was actually the second time again the company had been breached this year. The prior incident occurred in Cortege according to Bloomberg’s sources, with one saying it involved the same snoopers as the subsequent hack. Equifax says the two incidents were unrelated, but either way, the fellowship knew it was being targeted as early as this past spring.
That timeline compel likely prove important, given three of the company’s executives traffic ined almost $1.8 million US in shares in the days after the July 29 origination that the company had been breached. Equifax has denied the executives skilled ined of the breach when they sold their shares.
Why didn’t Equifax mend the hole the intruders used to get in?
We also learned last week that Equifax prostrate victim to a vulnerability in a widely used piece of software called Apache Parades. It’s a favourite of financial institutions and government agencies, used for the development of web appeals — which is what made it all the more concerning when a critical damage was discovered in the software in March. It’s not clear why Equifax didn’t patch its set-ups at that time, nor why the security company Mandiant didn’t identify the vulnerability when it was collect summoned to investigate Equifax’s first security breach that same month.
Who’s behind it and what did they demand?
As is usually the case in the aftermath of big breaches and attacks, this isn’t clear. A many of groups have emerged claiming responsibility, but none have been masterly to provide proof so far.
How bad is this for Canadians?
On one hand, 100,000 Canadian gulls pales in comparison to the 143 million Americans affected. On the other, there’s allay no easy way to tell whether or not you’re among the unlucky few. Equifax set up a website for Americans to scrutiny whether their information was affected by the breach, but that website doesn’t idle for Canadians. Instead, the company said on Tuesday that it “will be sending critiques via mail directly to all impacted consumers outlining the steps they should persuade someone to go.”
What’s not clear is whether those affected are limited to Canadians with dealings in the U.S., as Equifax Canada’s person service agents reportedly told callers about the breach. In an email, Equifax Canada centre relations said it “will share more information as soon as it is on tap.”
And don’t think you can merely ask the government for a new SIN either. You can only ask for a replacement if you can prove to the domination your SIN has been fraudulently used.
What happens next?
The Service of the Privacy Commissioner of Canada (OPC) said last week that it’s investigating the break through, and that Equifax is co-operating. That’s about all we know for now. In the meantime, the OPC implies you monitor your credit cards and bank accounts for unauthorized annals, report any signs of theft or crime to local police, report scams or deceptions to the Canadian Anti-Fraud Centre, and to tell your bank and credit union card companies if you believe you’ve been a target of identity fraud.