The company said Tuesday the investigation is ongoing and it appears that the breached data may have included names, addresses, social insurance numbers and in some cases credit card numbers.
“We apologize to Canadian consumers who have been impacted by this incident,” Lisa Nelson, president and general manager of Equifax Canada, said in a statement.
“We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete.”
The credit data company added that hackers accessed Equifax Inc.’s systems through a consumer website application intended for use by U.S. consumers. The hackers obtained access to files containing the personal information of some Canadian consumers through the interface, Equifax said.
On Sept. 7, Equifax announced that it suffered a data breach that may have compromised the personal information of 143 million Americans and an undisclosed number of Canadian and U.K. residents. The company said last week that fewer than 400,000 U.K. individuals may have had their information put at risk.
But Equifax, which collects data about consumers’ credit histories and provides credit checks to a variety of companies, had been tight-lipped about the security issue’s impact in Canada.
Canada’s privacy watchdog announced last Friday that it was probing the data breach and Equifax had committed to notifying those affected in writing as soon as possible.
Equifax said Tuesday that it will be sending mailed notices directly to Canadians who have been impacted in the cyberhack outlining the steps they should take.
It is also offering Canadians whose data was put at risk free credit monitoring and identity theft protection for the next 12 months, a service offered to U.S. residents on the day the cyberattack was first announced.
The company is now facing investigations in Canada and the U.S.
At least two proposed class actions have been filed in Canada and many more in the U.S. against Equifax in connection with the data breach.
The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”