A former employee has filed a class action application against Equifax Canada Co. and Equifax Inc., alleging that the credit bureau allowed one of its third-party partners to access his credit file without his consent, based on a fraudulent account in his name that was held by the third party. The now former employee worked on Equifax’s commercial data strategy at the time.
This application serves as an important reminder to investors and registrants affected by the Canadian Investment Regulatory Organization’s (CIRO) data breach to regularly review inquiries made to their credit reports.
The class-action application was filed on Jan. 22 with the Quebec Superior Court in Montreal by law firm Twin Lisbet Inc.
“We will vigorously defend these claims through the appropriate legal channels,” Equifax Canada Co. said in an emailed statement on Thursday. “Equifax plays an important role in the financial lives of consumers, and we take that responsibility very seriously.”
The statement said the credit bureau will continue to focus on providing customers with “advanced tools and industry-leading safeguards.”
The former employee alleges that access entries or inquiries to his Equifax credit file appeared more than 19 times through Borrowell. The fintech is among the third-party platforms authorized by Equifax to transmit requests to disclose credit files, according to the application.
(While Borrowell touts that it provides free access to credit scores if users sign up with the platform, consumers can readily get their credit scores for free online.)
The former Equifax employee discovered the Borrowell entries and inquiries when he consulted the “inquiries” section of his Equifax credit report, the application says. He alleges that the Borrowell account was created using a decades-old address, along with a false email address and false phone number, yet was successfully used to access his Equifax credit file.
According to the application, third-party platforms rely on comparable matching, validation and transmission mechanisms operated and controlled by Equifax. “Equifax’s automated matching mechanisms accepted a match based on partial, inaccurate or outdated information … all without conducting enhanced identity verification or adequately detecting inconsistencies,” the application alleges.
In addition to federal and provincial privacy statutes, the application cites Equifax’s 2017 breach in support of its claim. That breach, which affected almost half of Americans as well as about 19,000 Canadians, resulted in a settlement with the U.S. Federal Trade Commission and others, and included requirements to implement an information security program.
“[T]his history places Equifax in a position of heightened knowledge and imposes a reinforced standard of prudence,” the current class-action application alleges.
Julie Kuzmic, head of consumer advocacy and compliance with Equifax in Toronto, told Investment Executive last fall that, after the 2017 breach, the credit bureau invested billions in IT infrastructure, and continually upgrades and monitors its system.
The access and inquiries into the former employee’s credit file didn’t affect his credit score.
CIRO is providing two years of credit monitoring with Equifax and TransUnion to those affected by the regulator’s data breach that was detected last August.
On Jan. 14, CIRO said about 750,000 investors were affected by the regulator’s breach, and last fall informed affected registrants that their personal information was hacked.