Investors frustrated by credit bureau’s call centre following CIRO data breach

Based on emails received by Investment Executive (IE) from unadvised investors, signing up for TransUnion’s MyTrueIdentity service can require several phone call attempts, depending on circumstances.

“There is another side to that [data breach] mess: the … incompetency of the people running the solutions offered by CIRO to diminish the impact,” one investor wrote when describing his multiple calls to TransUnion.

During the various calls, the investor was told the system was down, or he was disconnected when the call was transferred, or he hung up when background noise was excessive or when he couldn’t understand call centre agents who are outside Canada.

The investor said they had to use the TransUnion call centre when their activation code didn’t work, given that their email address was associated with an expired subscription to the credit monitoring service.

TransUnion declined an interview request. In an emailed statement, David Shum, advisor, corporate affairs and communications with TransUnion, wrote, “In some cases, consumers who previously had a MyTrueIdentity account may need a new activation code or assistance re-establishing access. Our support team can help quickly resolve these situations and can be reached at 1-800-663-9980.” (This number is included in CIRO’s notification letters to those affected by the breach.)

Further, Shum said, “There have been periods of higher-than-usual call volumes due to strong interest in the service, which has resulted in longer wait times for some consumers. Call volumes have since normalized, and our teams continue to monitor call quality and accessibility to support clear and efficient interactions.”

TransUnion “remains committed to supporting Canadians affected by this incident and ensuring they have access to the identity protection services being offered,” Shum said.

After having their personal information hacked, some investors are wary of their calls being handled by a call centre, particularly outside Canada. In an email to IE in reference to providing verification information to call agents, one investor said, “Why would I let them have my personal information in foreign countries?”

Wary investors should understand that the credit bureaus already have their personal information, given that they compile such data to create credit files on consumers. Consumers typically provide consent to collect their personal information to the credit bureaus’ customers — businesses such as banks and credit card companies.

Shum said that as a global company, TransUnion operates customer support teams in multiple locations.

“The location of a support agent does not change how we protect personal information,” he said. “All customer support operations — regardless of where they are located — follow the same security and privacy requirements, including role‑based access controls, identity verification procedures, continuous monitoring and mandatory training. Agents only access the information required to assist a consumer, and our controls are designed to protect personal information at all times.”

TransUnion’s privacy policy is posted online.

Frustration with navigating the credit bureaus’ call centres isn’t unique to people affected by the CIRO breach. But the frustration is understandable, given their concerns about potential identity theft.

On Monday, the CBC reported on a fraud victim’s long battle to get the credit bureaus to fix errors on her credit record. The case involved months of calls to Equifax as well as online technical failures, the public broadcaster reported. In comparison, TransUnion’s online dispute process was better, but it took the credit bureau more than a year and a half to fix the credit record.