Do you know who has accessed your personal financial information? You may think you know, but there could have been a privacy breach you might not even be aware of. Remember to monitor your financial information to prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Equifax made international headlines recently when both the American and Canadian branches of the credit monitoring company experienced a privacy breach, exposing the personal data of hundreds of thousands of individuals. It is believed that as many as 100,000 Canadians may have been exposed, having their names, addresses, Social Insurance Numbers, and, in some cases, credit card numbers compromised.

What happened

It appears that Equifax did not properly fix a known vulnerability on their Apache computer server and the server was hacked. Equifax did not make a public announcement of the breach until after they were hacked a second time, after not fixing the vulnerability.

Equifax will mail notices to all affected Canadian consumers outlining the steps they should take, and it will be providing complimentary credit monitoring and identity theft protection for 12 months for those Canadians impacted by the breach. 1

The Equifax breach is one of the largest to date, and it affects the everyday consumer. It is especially painful because many of the people who use Equifax services have either taken a conscious step to prevent a breach or have already been a victim of a breach and have registered with Equifax so that they can keep tabs on when their information may be used so that they can respond quickly.

Privacy Nuggets You Need to Know

Impacts to Equifax

When a business collects personal information (including sensitive financial information), that business is responsible to ensure reasonable safeguards to protect the privacy, confidentiality, and security of that information.

When a breach occurs, the business can face a variety of penalties, sanctions, and other consequences. In these still-early days in this case, Equifax has experienced:

• Considerable harm to its reputation, value of its stocks, and it appears loss of jobs for some key employees.
• Class action lawsuits have already been filed against Equifax.
• If this breach had occurred in Europe next spring when the General Data Protection Regulation (GDRP) rules will be in effect, Equifax could have been fined up to 4% of the organization’s world-wide operations.
• Investigation by the Office of the Privacy Commissioner of Canada was opened in September 2017 and is on-going at this time.

Impacts to individuals

I haven’t seen any reports of the information breached in the Equifax hack being used for malicious purposes, yet. It may take some time before these activities are identified. In the meantime, individuals may experience some anxiety anticipating that their confidential information may have been compromised.

Here are some steps that you can take now to protect your personal and financial information on-line.

What can individuals do now?

When you register for a credit monitoring service, the service is supposed to tell you after your account has been hacked. It seems to me to be counter-intuitive to register with a credit bureau to monitor your accounts now.

If you prefer a pro-active approach, consider using a “credit freeze”. A credit freeze means that you block anyone from accessing your financial information for the purpose of a credit check. This may reduce the risk of exposing your credit information to scammers. There may be a small fee ($3–$5) to request a credit freeze, and you must specifically request this from the credit monitoring businesses (Equifax, TransUnion, Experian).

When you have a legitimate reason to authorize a credit check (for example, when you want to make a major purchase that requires financing), you authorize an un-freeze of your credit accounts. You can re-freeze your accounts after the authorized transaction is complete. There are user fees to un-freeze your account.

Instead of waiting to be informed that your credit accounts have been compromised, you could also consider a service like CreditKarma.com. This is a free credit monitoring service that sends alerts to your phone when a credit check is requested.

Other proactive steps that you can take

• Review your bank statements and credit account transactions regularly. Credit card companies can often recognize very unusual activity on your account before you, but you’re responsible for monitoring your own accounts.
• Request your own credit reports regularly, and review them for any unusual activities.

The Office of the Privacy Commissioner of Canada recommends these tips if you are concerned that you might be affected by the Equifax breach.2

• Call Equifax at 1-866-828-5961 (English service) and 1-877-323-2598 (French service) or email EquifaxCanadaInquiry@Equifax.com. Check for updates on the Equifax Canada website.
• Equifax has said that it will not be calling affected consumers. Hang up if someone calls claiming to be from Equifax, as scammers may try to take advantage of the breach – don’t trust the caller ID display as this can be spoofed. Do not provide personal information over the phone or by email.
• Monitor your credit cards and bank accounts regularly, and keep a close eye out for any transactions you did not authorize. Report any issues right away.
• If you identify a concern involving a theft/crime, report the incident to local police. Report any incidents involving a scam or fraud to the Canadian Anti-Fraud Centre.
• If you think you have been targeted by identity fraud, advise your bank and credit card companies. Close any accounts and cancel any cards that may have been compromised.

What about your business?

A privacy breach like this can happen to your business, too. In fact, 44.2% of cyber attacks in Canada targeted the service sector and, most frequently, the business services and health care sectors in 2016.

Many website hosts, cloud-based service providers, and other services use Apache computer servers – maybe even your business. (To find out which computer server your SSL web server on the public Internet host uses, see https://www.ssllabs.com/ssltest/analyze.html for an online tool that you can use to generate a security report and suggestions to fix any vulnerabilities.)

This unfortunate breach is a good reminder for all businesses and clubs to follow-up with your service provider or IT support to ensure that your server has been reviewed recently for vulnerabilities and is updated. In addition:

• Many website hosts, cloud-based service providers, and other services use Apache computer servers – maybe even your business. Review your server security.
• Use technology and tools to detect a breach and to manage it completely.
• If you don’t have the skills to use these tools, purchase qualified managed services to ensure good cybersecurity.

Each businesses should assume that you will be breached sometime. To prepare for this,

• Know your “crown jewels” (sensitive information and other information assets) and your vulnerabilities.
• Have a privacy breach response plan. If you don’t have one yet, take a look at the online education, 4 Step Response Plan – Prevent Privacy Breach Pain.

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

October is Cyber Security Awareness Month! We are proud to be a champion and to host the 15 Day Privacy Challenge. Join us for more tips for your home or business – Free!

1, 2 Office of the Privacy Commissioner of Canada. (2017, September 15). OPC launches investigation into Equifax breach. https://www.priv.gc.ca/en/opc-news/news-and-announcements/2017/an_170915/

References and Resources

Office of the Privacy Commissioner of Canada. (2017, September 15). OPC launches investigation into Equifax breach. https://www.priv.gc.ca/en/opc-news/news-and-announcements/2017/an_170915/

Rendell, M. (2017, August 22). How seriously are Canadian investors taking cyberthreats? Globe and Mail.

Robison, B. (Cylance), Davis, M. (CounterTack), Chenette, S. (AttackIQ), & Flynn, K. (Skybox Security). (2017, September 19). Lessons from the Equifax Data Breach for Improving Cybersecurity

Stewart, K. (2017, September 25). After Equifax hack, time to make sure your identity’s safe. The Daily Nonpareil. http://www.nonpareilonline.com/business/after-equifax-hack-time-to-make-sure-your-identity-s/article_66c4d3f0-a090-11e7-8c16-ef14890b52e8.html