Equifax Canada said Tuesday approximately 100,000 Canadian consumers may have had their personal information and credit card details compromised in a massive cyberattack that also affected 143 million Americans, as the U.S. parent company revealed it also had a separate data breach this year.

“We apologize to Canadian consumers who have been impacted by this incident,” Lisa Nelson, president and general manager of Equifax Canada, said in a statement.

“We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete.”

Read more:

Canada’s privacy watchdog launches probe into Equifax hack

Equifax’s data debacle shows need to rein in credit agencies: Wells

U.S. senators seek investigation of Equifax stock sales following data breach

The company said Tuesday the investigation is ongoing and it appears that the breached data may have included names, addresses, social insurance numbers and in some cases credit card numbers.

Equifax Canada has provided information to MasterCard and VISA about Canadians whose credit card details may have been compromised, for communication to the financial institutions involved, the company said in an update on its Canadian website. The financial institutions will communicate the information with its clients, it added.

The company said Tuesday that hackers accessed Equifax Inc.’s systems through a consumer website application intended for use by U.S. consumers. The hackers obtained access to files containing the personal information of some Canadian consumers through the interface, Equifax Canada said.

“Equifax Canada can confirm that Canadian systems are not affected,” the company said on its Canadian website. “We have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

“Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S.”

On Sept. 7, Equifax announced that on July 29 it discovered a data breach that may have compromised the personal information of 143 million Americans and an undisclosed number of Canadian and U.K. residents. The company said last week that fewer than 400,000 U.K. individuals may have had some of their personal information compromised, but the scope was more limited and unlikely to lead to identity theft.

But Equifax, which collects data about consumers’ credit histories and provides credit checks to a variety of companies, had been tight-lipped about the impact of the cyberattack in Canada.

Equifax learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation.

In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday.

Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said.

Equifax said Tuesday that it will be sending mailed notices directly to Canadians who have been impacted in the cyberhack outlining the steps they should take. It is also offering Canadians whose data was put at risk free credit monitoring and identity theft protection for the next 12 months, a service offered to U.S. residents on the day the cyberattack was first announced.

While the credit data company has set up a dedicated website where U.S. residents can check whether they have been affected, it is set up for American Social Security Numbers and does not work for Canadians.

The company is now facing investigations in Canada and the U.S. At least two proposed class actions have been filed in Canada and many more in the U.S. against Equifax in connection with the data breach.

The company’s call centre staff in Canada have told callers that only Canadians that have credit files in the U.S. were likely to be impacted, such as individuals who may have lived or worked south of the border. But the Office of the Privacy Commissioner has said that, at this point, it is not clear that the affected data was limited to Canadians with U.S. dealings.

Loading... Loading... Loading... Loading... Loading... Loading...

The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.” Last Friday, Equifax announced that its chief information officer and chief security officer were retiring, effective immediately.

Equifax’s investigation thus far shows that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada says it is working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity conducting the ongoing investigation.

With files from Bloomberg