The federal Privacy Commissioner has launched separate investigations into a pair of massive security breaches that could potentially compromise the personal information of millions of Canadian investors and credit card users.
The probes were confirmed yesterday, after Canadian Imperial Bank of Commerce revealed that one of its mutual fund subsidiaries lost a backup computer file containing personal data for 470,000 investors. The hard drive was lost in transit from the Montreal office of Talvest Mutual Funds, and may have contained everything from social insurance numbers and addresses to signatures, birthdates and bank account numbers, although CIBC said there is no indication that the data have been improperly accessed.
The CIBC gaffe came just one day after U.S. retailer TJX Cos., whose chains include Winners and HomeSense, said it had been victimized by a hacker who repeatedly broke into its network and stole customer data. The two incidents were unrelated.
Some reports have suggested that more than 40 million credit cards were exposed by the TJX break-in, which would make it one of the largest such incidents to hit North America. Sources said Visa alone is informing partners that 20 million of its cards could be affected, and there are estimates in the financial community that between one million and two million Canadian cards issued by banks and other institutions could have been left vulnerable by the breach. Visa would not confirm the numbers.
"They both clearly involve a significant amount of personal information and a lot of people," said Anne-Marie Hayden, a spokeswoman for the Office of the Privacy Commissioner.
"Any breach having an impact on this many people is of concern to our office."
Ms. Hayden said Privacy Commissioner Jennifer Stoddart is "deeply troubled" by the sudden rash of security problems, and by the fact that this is the second time she has launched a probe of CIBC in the past few years. In 2004, she investigated the bank for sending errant faxes to a West Virginia junkyard, and mistakenly divulging private customer information. Ms. Stoddart determined there was a "serious breakdown in CIBC's privacy policies," and recommended a host of safeguards that the bank implemented.
"The commissioner is concerned that once again there's an issue involving CIBC," Ms. Hayden said. CIBC brought the matter to the commissioner's attention late last month, after the hard drive went missing.
Identity theft experts said the two cases should serve as a wake-up call for Canadians, and perhaps make them more vigilant about checking their statements and credit reports for signs of improper activity.
"Canadians should be concerned. Should we all become paranoid? Well, maybe a little bit of paranoia is good," said Milena Head, a McMaster University professor who specializes in privacy and e-commerce issues. "For Canada, this is a big eye-opener . . . I think this order of magnitude that we've seen in the last few days will really hit home with Canadians."
There are some clear differences between the TJX incident and the missing hard drive at CIBC's Talvest unit. At TJX, a hacker appears to have stolen information. At CIBC, however, officials say there is no evidence of any fraud in customer accounts. Sources close to the internal probe at CIBC say investigators are examining all angles, but are considering the strong likelihood that the hard drive was misplaced through human error.
Even if that proves to be the case, experts said financial institutions must do a better job of safeguarding information.
"Too many are still using physical means to ship information, sometimes unencrypted," said Jacob Jegher with consulting firm Celent LLC. "Organizations need to start realizing that an ounce of prevention is worth a pound of cure."
CIBC has promised to compensate customers for any loss, and is allowing them to enroll in a free credit monitoring program that can alert them if someone is trying to use their information without proper authorization.
Most of the clients are from Talvest, not CIBC, which acquired the mutual fund company in 2001.
The recent security breakdowns at CIBC and TJX Cos. exposed thousands of Canadians to potential damage from unauthorized release of their personal data. But these incidents are only the latest in a long series of similar breaches:
For three years, beginning in 2001, CIBC inadvertently faxed confidential information about hundreds of customers to a scrapyard operator in West Virginia. CIBC's then-CEO John Hunkin eventually apologized, and the federal Privacy Commissioner slapped the bank's wrist.
In mid-2005, criminals breached a computer firewall at credit reporting agency Equifax Canada Inc. and got access to hundreds of consumer files, with information on bank loans, credit cards and social insurance numbers. A year earlier, criminals posing as legitimate credit grantors managed to get access to about 1,400 Equifax files.
Early in 2006, dozens of backup computer tapes were sold at a B.C. government auction. Unfortunately the tapes weren't erased, and they contained sensitive medical information on thousands of individuals, including their HIV status. The province responded by banning the sale of surplus computer equipment.
In the early spring of 2005, a tape containing health information on more than 672,000 Albertans went missing. The tape was lost while being shipped from the province's data manager, IBM, to a subcontractor for conversion to microfiche. The province claimed the data wouldn't have been of much use to fraudsters.
A laptop, stolen from a car in an Edmonton parking lot in June, 2006, contained financial and other data on about 8,000 clients of MD Management, the financial services arm of the Canadian Medical Association. The employee who was responsible for the laptop was disciplined, and the organization installed more encryption equipment on its other computers.
About 900 customers of the Bank of Montreal in the Ottawa area were warned to monitor their bank accounts in September, 2006, after a laptop containing client files was stolen from a local branch. The theft prompted Ontario's Privacy Commission to issue a warning and a list of steps companies should take to protect laptop data.
RICHARD BLACKWELL/THE GLOBE AND MAIL
© 2007 The Globe and Mail. All rights reserved.
Only GlobeinvestorGOLD combines the strength of powerful investing tools with the insight of The Globe and Mail.
Discover a wealth of investment information and and exclusive features.