An investigation into a global data breach has found that both Equifax Canada and its U.S.-based parent company fell far short of their privacy obligations to Canadians, according to the Privacy Commission of Canada.

Privacy concerns included poor security safeguards, retaining information too long, inadequate consent procedures, a lack of accountability for Canadians' information and limited protection measures offered to affected individuals after the breach.

The breach affected more than 143 million people worldwide, including 19,000 Canadians.

Significant shortcomings found

“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company's privacy and security practices,” said Daniel Therrien, Privacy Commissioner of Canada.

“In the end, the company did agree to enter into a compliance agreement, which demonstrates its commitment to addressing many of our concerns, and making privacy a priority going forward.”

Since the breach, Equifax Canada and Equifax Inc. have taken steps to improve their security, accountability and data destruction programs.

Equifax Canada has also agreed to submit third-party audit reports on its own security and those of Equifax Inc. to the OPC every two years for the next six years.

Hackers gained access to Equifax Inc.

The breach occurred after hackers gained access to Equifax Inc.'s systems through a vulnerability the company had known about for more than two months, but had not fixed.

Affected Americans were offered a credit freeze allowing them to restrict access to their credit files, but Equifax Canada refused to make the same offer to Canadians.

The privacy commission is now launching a formal consultation on cross-border transfers.