TORONTO -- Equifax Canada said Tuesday approximately 100,000 Canadian consumers may have had their personal information and credit card details compromised in a massive cyberattack that also affected 143 million Americans, as the U.S. parent company revealed it also had a separate data breach this year.
"We apologize to Canadian consumers who have been impacted by this incident," Lisa Nelson, president and general manager of Equifax Canada, said in a statement.
"We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete."
Equifax announced on Sept. 7 that it discovered a data breach in July that may have compromised the personal information of 143 million Americans and an undisclosed number of Canadian and U.K. residents.
But the company, which collects data about consumers' credit histories and provides credit checks to a variety of companies, had been tight-lipped about the impact of the cyberattack in Canada.
Canada's privacy watchdog announced last Friday that it was probing the data breach.
The Canadian division said Tuesday an investigation is ongoing and it appears that the breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.
Equifax Canada has provided information to MasterCard and Visa about Canadians whose credit card details may have been compromised for communication to the financial institutions involved, which will then communicate with consumers, the company said in an update on its Canadian website.
Hackers accessed Equifax Canada's systems through a consumer website application intended for use by U.S. consumers, it said. The hackers apparently obtained access to files containing the personal information of some Canadian consumers through the interface.
"Equifax Canada can confirm that Canadian systems are not affected," it said on its website.
"We have found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases. Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S."
Equifax's investigation so far shows that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said it is working closely with its parent company and an unnamed, independent cybersecurity conducting the ongoing investigation.
The cyberattack occurred through a vulnerability in an open-source application framework that was detected and disclosed in March. The U.S. parent company revealed on Tuesday it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.
The breach involved TALX, which is Equifax's human resources and payroll service. The company said there's no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.
Three executives at Equifax were found to have sold stock in the days leading up to the time when Equifax disclosed the more serious breach. Equifax says the three executives, which includes the company's second-highest ranking employee, its chief financial officer, were unaware of the bigger breach when they sold their shares. Equifax has also announced that its chief information officer and chief security officer were retiring, effective immediately.
Massachusetts Attorney General Maura Healey sued Equifax on Tuesday, making it the first state to take direct legal action against the company following the breach. Its lawyers say that Equifax's negligence exposed more than half the state's adult population to the breach, and the company was negligent in dealing with security threats, including the software vulnerability that has become the centre of the investigation.
The company is now facing investigations in Canada and the U.S. At least two proposed class actions have been filed in Canada and many more in the U.S. against Equifax in connection with the data breach.