Equifax Inc and its Canadian unit fell far short of their privacy obligations, a Canadian federal agency said on Tuesday following an investigation into the 2017 data breach at the credit reporting company.

The agency, which is charged with protecting privacy rights of individuals, noted that poor security safeguards worsened the impact of the global cyberattack here that affected more than 143 million people worldwide, including 19,000 Canadians.  “Given the vast amounts of highly sensitive personal information Equifax holds…it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” said Daniel Therrien, the privacy commissioner of Canada.

The agency said Equifax Canada has entered into a compliance agreement to address these concerns and will submit third-party audit reports on its own security and that of its parent to the OPC every two years for the next six years.  This will allow ongoing monitoring of compliance with Canada’s federal private sector privacy law, including assessing the steps taken by Equifax since the breach, OPC said in a statement.

Source: Reuters