Credit agency reports security breach

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html

By Carly Suppa
MARCH 17, 2004
TORONTO 

MARCH 17, 2004 - TORONTO - More than 1,400 Canadians, primarily in the
provinces of British Columbia and Alberta, have been notified of a
major security breach at Equifax Canada Inc., a national
consumer-credit reporting agency.

Equifax confirmed yesterday that it discovered the breach in late
February and has notified affected consumers via registered mail
asking that they contact the agency to review the contents of their
respected credit files.

According to reports, access was gained to the personal, detailed
credit files of more than 1,400 people. The files contained social
insurance numbers, bank account numbers, credit histories, home
addresses and job descriptions.

Equifax is working with the Royal Canadian Mounted Police to find the
culprits of the unauthorized access. At press time, there was still no
word on the success of the investigation.

Equifax spokespeople refused to comment, but the company issued a
statement that outlined the steps it is taking to ensure consumer
protection.

The company has activated alert messages reading "lost or stolen
identification" on the credit file of each affected consumer, which
Equifax said would "prompt potential creditors to carefully confirm
the consumer's identity and will help protect the consumer from
potential identity theft."

The agency also stated it is providing affected consumers with a
one-year free subscription to Credit Alert, a service that monitors
credit file activity and alerts the consumer immediately of any
changes "that could signal potential identity theft."

This situation has the Canadian security community very concerned.  
According to Rosaleen Citron, CEO of Burlington, Ont.-based security
software firm Whitehat Inc., the breach is more dangerous than any the
community has seen before.

"The information that was compromised was localized to Alberta and
British Columbia with a few out of Ontario," Citron said. "Equifax has
a very large database. If someone has breached the system, they would
have all the information -- not just 1,400 files. This is a situation
where the people who perpetrated this [likely were] funded."

Citron offered this analogy: "If you were going out and wanted to rob
a bank, you may want to go and buy a vehicle and paint it to look like
an armored car and show up three minutes earlier. The point is that
takes money, effort and time. Whoever did this, it took money, effort
and time."

In terms of identity theft, while Canada lags significantly behind the
U.S. in the number of ID thefts per year, the fact remains that
Canadian numbers are increasing. According to numbers from Equifax and
fellow credit reporting agency Trans Union of Canada, ID thefts
increased from approximately 8,100 reported incidents in 2002 to more
than 13,000 reported in 2003.

To combat these thefts, Citron said the industry is seeing more
emphasis on database security.

"People were very concerned about the perimeter, but now they
understand that it is the databases that carry the gold mines and
criminals are mining for them," she said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.