RBC sends wrong RRSP info, including names and SINs, to 'approximately 500' customers
Some bank customers were mailed RRSP information for someone else, including names addresses and SINs
The biggest bank in Canada says it accidentally mailed hundreds of incorrect RRSP receipts to the wrong customers, exposing the names, addresses and social insurance numbers of those clients in the process.
Royal Bank of Canada says that as a result of what it called a "printing error" a number of its customers recently received RRSP contribution receipts that contained personal information about other clients of the bank.
"Privacy is one of our highest priorities and we sincerely apologize to clients who have been impacted," banks spokeswoman Aishling Cullen told CBC News, adding that they believe the number of affected clients is "approximately 500."
Todd Williams is one of the people who received the wrong receipt. The Ottawa resident noticed that a tax receipt he received in the mail last Thursday included some information on it that clearly wasn't his. "I was expecting it to be in triplicate," he says, "and I noticed the two bottom pieces were not my information."
Instead, those receipts contained a host of information about another Ontario woman he is in no way related to. The information included contribution amounts, an account number, a name, address and her social insurance number. While he can't be sure his information was also sent to someone else, the fact he had received someone else's made him "concerned, obviously, where my information had gone."
"Based on the way the receipt was printed, I have reason to believe someone else has my information," he says
- Heartbleed bug no danger to bank websites, group says
- Starbucks app used to hack into bank account, credit cards
While the two Royal Bank customers have nothing in common, the nine-digit receipt numbers on their RRSP forms share the first eight digits. Only the last one is different.
For its part, the bank says it is making "every effort to minimize any potential impacts to our clients," and urges anyone who suspects they may be affected to contact the bank by phone or at their local branch.
The bank says it will provide anyone affected "with corrected receipts as well as additional security monitoring at no charge," something Williams says he will be "perfectly happy" with.
Threat of ID theft
Personal information as sensitive as a name, address and especially a social insurance number can be valuable information for criminals who wish to commit fraud such as identity theft. But in and of itself, that information falling into the wrong hands isn't necessarily the end of the world, a prominent Toronto privacy and technology lawyer says.
Kristen Thompson, a lawyer at McCarthy Tétrault LLP in Toronto, says it takes quite a bit more than people think it does to commit major identity theft.
"You have to have a highly motivated criminal that has access to information sources from a number of places," she says, adding that she hears about small scale breaches such as the one described above on an almost monthly basis in her legal practice.
- Royal Bank customer's bank account looted 3 times by identity thieves
- Medical record privacy breaches an 'epidemic' in Alberta, commissioner says
"TV has led us to believe that if you lose any information, bad guys are going to buy a house and bankrupt you," she says. "But it's not quite that easy."
Thompson says major breaches are rare and generate alarmist headlines when they happen, but the reality is that small scale ones happen fairly often without any major harm being caused.
"My day to day is dealing with lost laptops, mobile devices missing, inadvertent mailouts and telephone lists that go to the wrong place," she says, adding that there is some seasonality to it. Around the holidays, retailers often land in hot water for mailing personal customer information to the wrong address, for example. And this time of year, with financial institutions sending out tax documents, there can be another surge.
Thompson adds that companies don't like breaches like this anymore than their customers do.
"They don't happen every day but a misplaced mailing like this is not what appears on CSI: Cyber," she says.