'I'm just so furious': Mother and son both fall victim to Equifax Canada hack

Robin Harvey thought she was being financially prudent when she urged her son to sign up to monitor their credit files at Equifax Canada in 2013.

Her son was graduating from university at the time, and the former journalist pushed him to keep a close eye on his records while reactivating her account with the credit monitoring agency as well.

Unfortunately, that move likely exposed them to the very thing she was trying to avoid _ both received letters this week notifying them that their personal information, as well as account passwords and security answers, were exposed in the massive Equifax cyberhack reported last month.

“I’m just so furious, and I can’t believe it,” the Toronto woman said in an interview with The Canadian Press.

“I did something that I thought was helping him be a responsible, fiscal consumer… And it’s tragic that it turned out this way. It’s exactly the opposite of what I wanted.”

Harvey and her son are among the 8,000 Canadians whose personal data, and in some cases credit card details, was stolen by hackers in the massive Equifax data breach discovered on July 29.

Equifax Canada’s website says that it has concluded its investigation of the hack and has begun mailing notification letters to Canadians whose information has been exposed.

“Potentially impacted information may include names, addresses, gender, and social insurance numbers, as well as usernames, passwords, and secret question/secret answers, which Equifax believes are several years old and were login credentials for use of its direct-to-consumer website,” it reads.

Hackers were able to access or steal the personal data of roughly 145.5 million U.S. consumers, and nearly 400,000 Britons. Equifax Canada originally said the hack may have impacted as many as 100,000 Canadians, but later downgraded that figure to 8,000.

Canada’s privacy commissioner launched an investigation of Equifax breach on Sept. 15.

Both Harvey and her son — who does not want to be named because he is paranoid about exposing more of his personal information — received a six-page letter, in English and French, that was reviewed by The Canadian Press.

The letter details the data that was compromised, and extends an offer of 12-months free credit monitoring and identity theft protection. Harvey’s letter also noted that she had an Equifax account, which has now been locked for her protection.

“Equifax has been a key player in the protection of privacy for decades,” reads the first line of Harvey’s letter. “Unfortunately, earlier this year, our U.S. parent company discovered that criminals exploited a vulnerability with its U.S. online dispute portal web application.”

The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. This vulnerability was detected and disclosed in March by the United States Computer Readiness Team. Equifax has said that it “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

The fact that this threat was known months before the Equifax hack was discovered strikes a nerve with Harvey.

She points out that consumers have no choice but to have a credit report — and in turn share their personal data with various institutions — in order to do things like take out loans, rent apartments, or get a mortgage.

“You have to engage in this process where they get all this data,” Harvey said. “They insist on having all this data about you, and then they don’t secure it? That’s the outrage.”

She already had her credit card information compromised once before, back in 2006. A man booked himself on a return flight from Montreal to Latin America in her name and she said she was told her information was likely stolen from the online travel agency she used.

Visa caught the double-booking and cancelled her card, Harvey added.

A year’s worth of Equifax’s credit monitoring and identity theft protection is not enough to assuage her fears that someone will take her personal information and wreak havoc, and she will be worrying about this for years, Harvey said. Beyond key information such as her social insurance number, the secret security questions and answers also pose a risk as these are commonly used among many sites, she added.

Experts say that cyberattackers tend to either use illicitly obtained personal data immediately, or wait more than a year until scrutiny dies down to take action.

“I’m very much of the mindset that at some point I’m going to have to deal with some kind of identity theft and security inconvenience because of it,” said Harvey’s son, a Toronto-based artist.

Both Harvey and her son say they are wary of signing up for Equifax Canada’s identity theft protection and credit monitoring service.

“It’s very audacious for them to suggest signing up for a program,” he said.

Harvey wants to ensure that accepting Equifax’s offer does not preclude her from taking legal action, such as a joining one of the class action lawsuits that have been started on behalf of Canadians who may have been affected by the hack.

“The only way to make large corporations that are lax pay attention is to do something like that and cost them money.”