Criminals breach Equifax security for second time

June 17, 2005

By Simon Avery

For the second time in about a year, the credit reporting company Equifax Canada Inc. has suffered a security breach that has given criminals access to personal financial information of hundreds of Canadians.

The latest case came to Equifax Canada's attention several months ago, but was made public only yesterday.

Criminals that breached the firewall gained access to 605 consumer files, which contain personal information ranging from names and addresses to type of bank loans and credit cards, payment obligations and social insurance numbers. Credit card and bank account numbers are not part of the files, but security experts say the information in the files can be used by criminals for identity theft and even to build bogus business accounts.

"Their first goal is to steal as much as they can and then see what they can do with it," said Claudiu Popa, president of Informatica Corp., a network security consultancy in Toronto.

A more sophisticated use would be to try to correlate some of the data with other financial information, and open merchant accounts using the stolen names. Those accounts could then be used to create bogus e-commerce sites that steal from unsuspecting on-line shoppers, he said.

Neither Equifax nor police would say whether the information has been put to malicious use.

A spokeswoman for Equifax Canada, Marie-Line Colangelo, said the company has informed, by mail, all the people affected, and the breach has been secured. It has also tagged the affected accounts with the heading "lost or stolen identification" to warn creditors to confirm the consumer's identity to protect against possible identity theft.

She would not comment on whether the unauthorized access was by hackers breaking into Equifax Canada's computer systems, by physical theft of the information, or by other means. In a statement, the company said: "We have learned of an incident involving what appears to be the improper use of one of our customer's access codes and security passwords."

The RCMP said it was contacted by Equifax Canada several months ago and has been conducting an investigation since then out of British Columbia, where most of the affected individuals live.

Corporal Anthony Choy, an RCMP spokesman, would not say if the two security breaches were connected. The investigation into the first one is still under way and no arrests have been made, he said.

A little over a year ago, Equifax reported that criminals posing as legitimate credit grantors had accessed the credit files of roughly 1,400 consumers, primarily in B.C. and Alberta.

Mr. Popa said it's widely assumed in the security industry that the 2004 attack occurred when criminals managed to fool Equifax's on-line account system into granting administrator-like access -- known as an elevation of privilege attack. It's entirely possible that elements of the first crime were still present in Equifax Canada's computer system, allowing for a second breach, or that the criminals had help from the inside, Mr. Popa said.

"For a credit reporting agency, this is a huge hit," he said. "All the trust goes out the window."

main page ATTRITION feedback