However, Equifax Canada's customer service agents have told callers that only Canadians who have had dealings in the United States are likely to have had their information compromised in the data breach. It learned of the hacking on July 29.
The company's stock dropped another 8% in early trading Thursday following the FTC statement.
The Federal Trade Commission said on 14 September it has opened an investigation into the massive data breach at Equifax Inc, in a rare public disclosure that sent shares tumbling to their lowest in more than two years.
The FTC is not the only Washington authority looking into the breach.
The Apache software is widely used by companies to help build websites. "CAA did not handle or retain any of the information provided to Equifax", said Ian Jack, CAA managing director of communications and government relations. The two-month gap between when the patch was issued and when the attackers breached Equifax's network was a particularly risky time, as hackers began immediately exploiting the flaw on websites that didn't apply the fix, according to technology website Ars Technica. Since the company is holding off the details of its investigation, security experts believe that the attack possibly happened after the patch was made available since it was then widely distributed and publicized. The vulnerability was Apache Struts CVE-2017-5638.
"We're equally affected. Just because I don't have a social security number, I don't get access to information", said the partner at Gowlings law firm.
More recently, Equifax's cybersecurity has come under fire.
In particular, Warren called for the agency to scrutinize Equifax for potential security lapses and its poor handling of customer service after the breach was disclosed.
Rene Gielen, vice president at the Apache Software Foundation, said in an email Thursday that the group doesn't have reliable information on how long it takes companies to apply patches for vulnerabilities. "We have a data breach, we're not in too good a shape out of that, right?"
Worse yet: They also discovered "715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports", Krebs wrote. "So data security and how we go about ensuring that is something we spend a lot of time and effort on".