A massive data hacking at Equifax Inc., the credit rating and monitoring company, compromised the personal information of about 143 million Americans and at least 100,000 Canadians. It is a recent and vivid illustration of the risks that privacy breaches can pose not only to individuals but to the organizations that are targeted. According to the Equifax Canada website, the personal information of Canadians accessed by the hackers includes names, addresses, social insurance numbers and some credit card numbers, placing these individuals at risk of identity theft. The hackers exploited a flaw in Equifax’s computer system – a flaw that Equifax knew about but had not fixed – to gain access to consumers’ personal information between May and July 2017. Although Equifax Inc. learned about the breach on July 29, 2017, it did not make it public until September 7, 2017. A number of senior executives at Equifax including, most recently, the CEO, have stepped down as a result of the breach. The company has been strongly criticized for its poor security and for its mishandling of the breach and is facing a number of investigations, including one in Canada by the OPC and class action suits, while its shares have decreased in value. Charities and not-for-profits can also be targeted by cyber attackers. The Ponemon Institute’s 2017 Cost of Data Breach Study shows that nearly half of all data breaches in Canada are caused by malicious or criminal attacks and that these breaches can be costly to organizations.
Charities and not-for-profits should ensure that they have robust safeguards, as well as effective crisis/privacy breach protocols in place so that they do not sustain similar reputational and operational damage.