Many Canadian companies continue to leave their customers' personal information vulnerable to theft, neglecting to bolster online security systems with basic upgrades, the Office of the Privacy Commissioner said in a report released Tuesday.

Privacy commissioner Jennifer Stoddart said many companies continue to leave laptops unprotected without proper firewalls and encryption. She also noted a lack of proper privacy training leaves companies open to attacks.

The report said that just one-third of businesses had educated their staff about their responsibilities to safeguard consumers' information under the Personal Information Protection and Electronic Document Act (PIPEDA), Canada's private sector privacy law which governs the use, collection and disclosure of personal information.

"Too often, large corporations underestimate both the value of personal information and the risk that thieves will target it," Stoddart said in the report.

"As a result, we see deficient safeguards, lackadaisical privacy and security policies and procedures — and, of course, data spills."

TJX Cos. breach deemed the “largest-ever online burglary”

The report singled out the TJX Cos. data breach — in which more than 94 million credit and debit cards were exposed — as particularly "staggering" and the "largest-ever online burglary."

A probe by the privacy commissioner's office found the Massachusetts-based parent company of Winners and HomeSense collected too much information, kept the data for too long and relied on weak WEP encryption technology to protect its wireless local networks.

The privacy commissioner also found the hackers did not use sophisticated equipment to break into the computer system.

"It's believed that thieves armed with an antenna and a laptop computer and some specialized software settled in outside a Marshall's in Miami and broke into the store's poorly protected wireless local area networks," the report said.

The report suggests the breach will cost TJX Cos. hundreds of millions of dollars.

Also in 2007, Talvest Mutual Funds, a subsidiary of CIBC, reported losing a hard drive containing the personal data of nearly half a million customers.

OPC calls for mandatory reporting

Stoddart also in the report recommended adding an amendment to PIPEDA that would force companies to report when a data breach occurred.

Such an amendment would help consumers to protect themselves and might motivate companies to take security more seriously, she said.

The privacy commissioner responded to 7,500 PIPEDA inquiries and closed 420 investigations in 2007, according to the report. The bulk of the breaches reported concerned financial institutions, while companies in the telecommunications, insurance and retail sectors also filed reports.

According to the anti-fraud call centre Phonebusters, there were 9,972 incidents of identity theft in 2007, with losses totalling $6,430,823.75.