Equifax data breach a ‘digital disaster’ for Canadians

By David Shipley, CBC News

The fallout of the Equifax data breach is going to be felt by companies, individuals and government for years to come.

This digital disaster will cause millions of people significant stress as they are dragged into a near never-ending battle with identity thieves.

It will cost billions to contain, and attempt to clean-up, and the proceeds of the crime will throw even more fuel onto the roaring fire that is global cybercrime.

What is Equifax and what happened?

Equifax is one of the big four credit bureaus — they rank a person’s worthiness to receive credit — things like car loans, mortgages, credit cards or sometimes even services such as telephone, cable and, in the US, even health care.

Their database includes personally identifiable information — names, addresses and most crucially, data like social security numbers in the US or social insurance numbers in Canada.

‘Companies aren’t yet required to report data breaches or disclose any information about such breaches. We are severely lagging behind many countries in this regard … ‘— David Shipley

In May, an unknown group successfully breached Equifax’s online services by exploiting a vulnerability in their web servers.

A software fix, called a patch for the vulnerability, had been available in March but was not put in place. Equifax only reported the breach last week. As many as 143 million Americans and reportedly as many as 44 million people in the UK are affected.

As of this weekend, all we know about Canada is that some people are affected, but no idea exactly how many or how much personal information has been compromised.

Reportedly 10,000 Canadian Automobile Association (CAA) subscribers in Canada have been notified that their information was included in the breach.

Why don’t we know more?

To be honest, it’s the result of gaping holes in Canada’s privacy legislation.

Companies aren’t yet required to report data breaches or disclose any information about such breaches. We are severely lagging behind many countries in this regard including the U.S. but leagues behind leaders like Europe.

We’ve passed some laws in 2015 regarding breach reporting, but haven’t brought the required regulations to support the law into force yet.

‘Firms of the size of Equifax aren’t going to change their behaviour for $100,000 fines,’ says Shipley.

Canada’s federal privacy commission issued a statement on Tuesday urging Equifax to provide this information to Canadians, pointedly noting they were first notified of the breach through media reports and have been “seized” with this issue.

The Commissioner says Equifax is “cooperating” with their office.

The privacy commissioner also took the unusual step of recommending Canadians not use the U.S. website Equifax has set up as it is only designed for use with U.S. Social Security numbers.

The new regulations under Canada’s digital privacy act will help a bit — they have fines of up to $100,000 for failing to report a breach like this, but fixed fines such as that have little impact on massive corporations.

What Canada should be doing?

Canada should move to adopt new European regulations called the General Data Protection Regulation or GDPR.

Fines under those rules can run up to $30 million Canadian or 4% of revenues, whichever is higher.

Those are numbers that are causing firms that do business in Europe to stand up, take notice, fix shoddy products and services and pay more attention to defending against attackers.

Firms the size of Equifax aren’t going to change their behaviour for $100,000 fines.

The bigger you are the easier you fall

Breaches such as what happened to Equifax happen every day for a combination of reasons ranging from people falling victim to scam e-mails, to delays in properly updating or patching software or servers, to not investing in appropriate security technologies or audits.

What many people don’t know or realize is that large firms have something called technical debt.

Technical debt begins to accrue when you build a new complex IT system — say a system for gathering and sharing people’s credit scores. Companies invest millions or even billions to build these systems and then launch them.

‘Sadly, there’s not much Canadians who now have to live with the mess created by the breach can do to prevent something awful from happening to their finances,’ says Shipley. ((iStock))

But over time, the technology ages.

If firms aren’t careful, the system they built can become vulnerable as more and more flaws are found in it over time.

If they don’t fix those bugs or flaws — which may cause further issues and can be time consuming, expensive or cause service outages — then as time goes on the probability of a data breach increases dramatically.

What can Canadians do?

Sadly, there’s not much Canadians who now have to live with the mess created by the breach can do to prevent something awful from happening to their finances.

Credit monitoring services help, but they can’t stop identity theft. They can only alert you that it’s happened or at best, in-progress.

Some of the better credit monitoring or identity theft services can go a bit further by assisting in recovering your identity and paying some of the legal costs, but at the end of the day a lot of stress and harm can be caused by a data breach.

‘The bigger, longer-term issue that the Equifax breach has cast a spotlight on is the obsolescence of the social insurance number … ‘— David Shipley

In the U.S., there is an option for a credit freeze, though it can cost you money and take many steps to get in place.

Americans can ask the four major credit bureaus including Equifax not to provide their information to anyone, which will stop anyone from trying to get a car loan or credit in their name if the financial institution or service provider requires a credit check.

But that option really doesn’t exist in Canada.

Some of the bureaus do allow you to flag your account requiring additional ID or someone to contact you to approve any new credit applications, which may be helpful, but not all have that option and it’s not something that’s easy to figure out.

Moving past the SIN

The bigger, longer-term issue that the Equifax breach has cast a spotlight on is the obsolescence of the social insurance number and the need for a new secure form of unique personal digital identifier for government and commercial services.

We have to stop using a nearly 50-year-old approach that just doesn’t work in a 21st-century digital environment that’s full of cyber threats.

Efforts such as New Brunswick’s experiments to create a new secure digital ID are a step in the right direction.

10 TTC employees charged with fraud in alleged $5M insurance scheme

TORONTO _ The Toronto Transit Commission says one current and nine former employees are facing criminal charges in connection with an alleged multimillion-dollar insurance scheme.

The TTC announced the charges Thursday as part of an ongoing investigation by the police and the public transit agency into false health benefit claims.

To date, the TTC says 150 employees have been fired, retired or resigned to avoid dismissal as a result of the investigation, which started in 2014.

All 10 people charged face one count of fraud over $5,000. Of the 10, one is an employee on medical leave.

The allegations centre around Healthy Fit, a Toronto orthotics store, which allegedly provided some or no products that were invoiced to Manulife Financial, the TTC’s insurance provider at the time.

It’s alleged that Healthy Fit then shared the insurance payments with TTC workers involved in a $5-million scheme.

The TTC says it anticipates more employee dismissals as it continues its investigation.

“The TTC has insurance to protect itself against financial loss due to benefits fraud,” the transit agency said in a statement.  “Nevertheless, restitution is being sought from anyone who made an improper claim against the TTC’s benefits plan.”

Hamilton-Niagara RCMP Make Arrest in Synthetic Identity Fraud

The Hamilton-Niagara Regional Detachment of the Royal Canadian Mounted Police (RCMP) – Financial Crime Section have arrested and charged 48 year old Naeem AKHTAR from Markham, Ontario with Fraud and Money Laundering. The value of the fraud is presently estimated at this time to exceed $3 million dollars.

The scheme involved over one hundred false identities used to obtain credit cards and other loans from Canadian financial institutions. Known as a make-up, pump-up, run-up scheme, the suspect created an elaborate network of false identities and shell companies. The fake identities used included false Ontario driver’s licenses or actual Province of Ontario driver’s licenses created using fake foreign passports, fake Social Insurance Cards or false Canadian Permanent Resident cards.  This differed from traditional identity theft in that the personas created did not exist at all, which poses a threat to the Government of Canada’s systems and programs as well the integrity of Canada’s financial institutions.

Credit was created using the fake identities with falsified employment records and paystubs from the shell companies controlled by AKHTAR. The credit was increased by patiently accepting credit increases over the years. The shell companies were used to launder the proceeds of the crime by creating false invoicing for the fraudulent credit cards.

The scheme was further complicated by the use of postal mail forwarding services.  Through this AKHTAR was able to provide dozens of seemingly unrelated and innocuous addresses on credit applications but the mail would actually be redirected to rental mailboxes controlled by him.    AKHTAR is scheduled to appear in court on August 15th, 2017 in Newmarket, Ontario.

This investigation was assisted by proactive work from the anti-money laundering and corporate security units at Canadian Tire Bank, Canadian Imperial Bank of Commerce, The Bank of Montreal, TD Bank, Royal Bank, Scotiabank, and the Ontario Ministry of Transportation. The RCMP would also like to thank the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for its collaboration in this investigation.

“The creation and use of synthetic identities by criminals to enrich themselves is a threat to all Canadians and poses a significant risk to Canadian government programs and financial institutions. This investigation is an example of the effective partnership between the RCMP, FINTRAC and Canadian Financial Institutions. The RCMP is committed to working together with our partners to combat this type of fraudulent activity by criminals who only seek to enrich themselves at the expense of Canadians” said Inspector Todd Gilmore, Southwest District Commander.

The investigation is ongoing.

Website: RCMP in Ontario
Twitter: @RCMPONT
Facebook: RCMP.Ontario
YouTube: RCMPGRCPOLICE

SOURCE Royal Canadian Mounted Police

ACL Survey Finds Government Agencies Underperform on Fraud Detection & Reporting

Source: PRNewswire

Less than one third in public sector say the majority of fraud is ever detected

Government agencies performed significantly worse than the business sector on fraud detection and mitigation, according to a new survey. Less than one third of government respondents said the majority of fraud is detected and less than half said fraud that is detected ever gets reported, compared to 42 percent and 60 percent of respondents from the commercial sector, respectively.

The 2017 Fraud Survey from ACL, a risk management software provider helping governments and companies around the world stamp out fraud, polled more than 500 audit, compliance and risk management professionals on anti-fraud practices.

“Fraud in government agencies is estimated to cost taxpayers more than $136 billion each year1, and that’s just from improper payments,” commented Dan Zitting, chief product officer at ACL. “While both the public and private sector need to enhance their anti-fraud practices, the relative underperformance by government agencies should be a major concern of elected officials and their constituents.”

The survey also found that less than 30 percent of anti-fraud recommendations are fully acted upon by government agencies, compared to about 40 percent in the business sector. Both government and business respondents said the primary reasons for the failure to take action is lack of time/resources or approvals. However, this leading reason fraud is allowed to go unchecked was reported by less than a quarter of respondents (21 percent) in corporate firms, compared to nearly 40 percent of public sector professionals.

“Having worked with a number of government agencies to help them stop fraud, we were surprised by the differences in fraud management found between government and business,” said Scott Robinson, director, public sector, ACL. “It is clear that the public sector remains highly susceptible to fraud, and that many agencies are neglecting to take the necessary action to fulfill the public’s trust.”

1,700 names and phone numbers also stolen in data breach

Read more

2 men charged, 3rd sought in $10M fraud ring bust

By News Staff | City News

Toronto police have arrested two men, and are looking for a third, after they allegedly broke up a massive GTA fraud ring.

Police allege the trio used identity theft and fraud to fund a lavish lifestyle that included $10,000 crocodile shoes and $150,000 watches.

But the flashy clothing was just the tip of the iceberg: they allegedly stole $10 million from Canadians, Canadian institutions, and people living abroad.

The investigation began last summer. In the probe, police allegedly seized “37 fraudulently-obtained credit cards, hundreds of pieces of presumably stolen mail, and a series of notebooks containing the handwritten identity information of approximately 5,000 GTA residents.”

The details in the mail and in those notebooks was the starting point for the investigation, dubbed Project Royal. The Royal Canadian Mounted Police, the Competition Bureau of Canada, the Ontario Ministry of Government and Consumer Services, the Ontario Ministry of Finance, the U.S. Federal Trade Commission, and the U.S. Postal Inspection Service were all involved.

Adedayo Ogundana, 45, also known as Oladipupo Ogund, of Toronto, was arrested on Dec. 13, 2016. He’s charged with two counts of fraud over $5,000; 10 counts of fraud under $5,000; possession of property obtained by crime over $5,000; and possession of proceeds of crime.

He will appear in court on Thursday.

Adekunle Johnson Omitiran, 37, of Toronto, surrendered to police on April 27. He is charged with fraud over $5,000; four counts of fraud under $5,000; two counts of identity theft; trafficking identity information; possession of credit card obtained by crime; possession of proceeds of crime; possession of proceeds of crime; and fail to comply with probation.

He will appear in court on Friday.

Police believe the Omitiran had ties to people with “legitimate” access to identity information. Those people, police allege, sold information to Omitiran. Police are trying to track down those people.

A warrant has been issued for Duro Akintola, 44, also known as Michie Noah, of Toronto.

Emmanuel Salako, 47, of Toronto, also known as Gee Salaq, has been indicted by the United States Postal Inspection Service in Chicago under the name George Salako. He is wanted in the U.S.

Page 1 of 3312345...102030...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest