News about another successful cyberattack, on government or on a private company, in a single country or worldwide, is now almost routine. What such events usually have in common is a desire by the hackers who perpetrate the attacks to profit by it — either by demanding payment from the entity whose systems have been compromised, or by obtaining confidential personal information about individuals, which the hackers can then use fraudulently or sell to others who wish to do so.
In September of this year, the credit reporting firm Equifax announced that it had been subject to such a successful cyberattack, and that attack was especially concerning, both because of the nature of the information Equifax holds.
Most Canadian adults have used credit at one time or another. Whenever an individual obtains and uses credit — whether through a credit card, line of credit, car loan, or otherwise, the financial institution which provided the credit provides information about that credit use to a credit reporting agency like Equifax. The information provided includes the original amount of the debt, the payment history, whether any payments were made late, and the current balance. The file held by the credit reporting agency also includes personal identifying information about the individual, which can include the individual’s social insurance number (SIN). Such information is accumulated throughout the individual’s financial life and is used by credit-granting institutions to assess an individual’s creditworthiness whenever he or she makes an application for credit.
It’s readily apparent that credit rating agencies have a great deal of personal and financial information about individuals and it was that information which was compromised in the cyberattack on Equifax which took place between mid-May and July 2017. Equifax has confirmed that personal and financial information of about 100,000 Canadians had been accessed in the cyberattack. (That number is subject to change and increase, as the investigation continues.) The information accessed included individuals’ names, addresses, credit card numbers, and – most ominously – SINs.
Equifax has committed to contacting, by mail (not e-mail or phone), the 100,000 Canadians whose personal information has been compromised. It will also be providing such individuals with credit monitoring and identity theft protection for a period of 12 months, at no charge. Individuals who are not contacted but have questions can contact Equifax at 1-866-699-5712 or by email at EquifaxCanadaInquiry@equifax.com.
Anyone whose personal and financial information is stolen, whatever the circumstances, has good reason to be concerned. And, given the number of instances in which Canadians routinely provide such personal and financial information, online or otherwise, the chances of being affected by an information security breach continue to increase.
As a practical matter, there is really nothing individual Canadians can do to ensure that companies, institutions and governments which have and hold their personal information are not subject to a cyberattack or other information breach. What Canadians can (and should) do is to restrict the personal and financial information which they provide to others to that which is required by law or absolutely necessary in the particular circumstances. And there are a number of steps which individuals can take to protect the personal identifying and financial information which they do disclose, and so minimize the risks that such information will misused or that they will become victims of identity theft.
Perhaps the most important of those steps is the need to protect one’s SIN. Having someone else’s SIN can give an unauthorized person significant access to additional information about that person, and can even allow them to impersonate that person, especially online, where bona fides can often be established simply by providing requested personal identifying information.
The circumstances in which Canadians are legally required to provide their SIN are relatively few. We need to include on the annual tax return, we must provide to financial institutions where the individual holds an interest-bearing account, a registered retirement savings plan, a registered education savings plan, or a tax-free savings account. There are not many other instances in which providing one’s SIN is required.
Online shopping is now ubiquitous and, of course, purchasing anything online requires an individual to provide a method of payment, which is usually a credit card number. The major online shopping sites have security protocols in place, but the reality is that providing one’s credit card number online will always carry a risk. There are ways to minimize that risk. Individuals who shop online on a regular basis might consider obtaining a credit card which is used only for online shopping, and which has a relatively low credit limit.
For those who wish to obtain personal information about someone else for fraudulent purposes, all forms of social media are, of course, a gold mine. Everyone has heard of the need to exercise caution with respect to the personal information disclosed on social media. What many don’t recognize is the need to consider the totality of information that is being “shared” on all social media platforms in the aggregate, not just on a single site like Facebook, Twitter, or Instagram, or in a single post on any of those sites. Anyone seeking to collect personal information about an individual for identity theft or other fraudulent purposes will certainly put together information from all available sources. And, while a single piece of information disclosed in passing, or in isolation, may not seem to pose a risk, it doesn’t take much information to create that risk. For instance, no one would post their bank account number on social media. But, someone who posts on Facebook about their frustration with a particular interaction with their (named) financial institution has created an opportunity for someone to approach them (weeks or months later) with fraudulent intent, purporting to be from that financial institution and asking them, for instance, to confirm their bank account number as part of the bank’s regular fraud prevention program. And too often, recipients of such approaches don’t consider that the caller might have obtained information about who they bank with from a months-old social media post. Such fraudulent approaches rely on the fact that most recipients don’t think to verify the authenticity of the call or the caller.
Not disclosing one’s SIN unless legally required to do so, and taking care when online shopping or in posting on social media are only some of the precautions which can be taken to protect one’s personal information. There are many others, and there’s a lot of information available on how to protect yourself and what to do if your personal or financial information falls into the wrong hands. The following websites are a good place to start:
www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm and https://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctn-dntty/index-eng.aspx
The information presented is only of a general nature, may omit many details and special rules, is current only as of its published date, and accordingly cannot be regarded as legal or tax advice. Please contact your Segal advisor at 416-391-4499 for more information on these subjects and how they pertain to your specific tax or financial situation.