Compromised bank cards lead to few answers from Canadian banks
Some banks cite privacy as a reason for being tight lipped about the recent problem
The president of the Consumers' Association of Canada is calling on banks to become more transparent and release information about what he feels is an increase in the number of compromised bank cards.
"We've seen an escalation in the last 12 months of compromised bank accounts, credit cards, debit cards and PINs," Bruce Cran told CBC News.
Cran said his organization has received "hundreds" of complaints, not only about initial compromises, but repeated compromises on the same account. He said some accounts were compromised as many as four times last year.
"The mere volume of what's happening at the moment indicates to us that there's a bigger problem here," he said.
BMO customer Samantha Brannen, for one, received a new credit card in late March with a letter that said the company had reason to believe her card was compromised.
"I was pretty concerned to find out that there had been some kind of a breach of security with my credit card," she said.
Few details in letters to customers
CBC News has also been contacted by customers of TD Canada Trust, Scotiabank and PC Financial who recently received letters and new credit cards.
A TD Canada Trust letter dated March 29 said the new card was in relation to "a recent data compromise that occurred at a merchant where you may have used your account (either through your TD credit card or using your account number)."
CBC News contacted all the major Canadian banks asking if they had sent letters and new credit cards, as well as how many cards were recently compromised and where the compromise took place.
CIBC said it has not experienced any problems.
RBC said it has not had "a mass reissue of credit cards," while BMO said there has been "nothing different than usual" in terms of the number of letters being sent to credit card holders.
Some banks cite privacy for not answering questions
None of the other banks that sent out letters and new cards would answer those questions, citing privacy reasons.
Scotiabank spokesman Rick Roth said when the bank becomes aware of "possible incidents," it replaces cards "out of an abundance of caution," adding these are precautionary measures and it has no reason to believe any fraudulent activity occurred.
TD, Scotiabank and PC Financial all cited privacy as the reason for not disclosing the number of affected customers and where the breach (or breaches) took place.
"Given that this is a standard and precautionary industry measure related to the protection of customers' personal financial information, I'm sure you can understand that it's our policy not to share these details publicly," said Michelle Reidel of PC Financial.
Toronto privacy lawyer Ted Charney told CBC News that banks frequently deal with this by just notifying customers by phone.
'Unusual' multiple banks involved
"In terms of privacy breaches involving banking institutions, it's unusual that you would have a number of banks all at the same time formally notifying customers by mail of their card being compromised," he said. "This is very unusual."
Charney said privacy is not a reason to withhold information from customers.
"What it sounds like to me is some kind of excuse in the short term for the banks to continue to investigate and respond to this data breach before they have to publicly announce it," Charney said.
Calls for more transparency
The Consumers' Association of Canada says the banks should be more transparent.
"I don't know whose privacy they're concerned about," said Cran.
Brannen also wants to know more.
"I think every cardholder has a right to know where the breach took place so they [can] take precautions to avoid the vendor until the problem is resolved and they have assurances that it is resolved," she said. "Every cardholder has that right to know they're secure."
Charney said customers should complain to their bank and if that doesn't result in more information, they should file a complaint with the federal privacy commissioner. He said federal legislation requires banks to notify the commissioner of any significant privacy or data breaches.
Unclear how many breaches have occurred
The office of the federal privacy commissioner told CBC News that the office hasn't received any recent complaints about this issue and it's not clear whether the cases are connected to any one specific breach.
"What I can tell you is that we regularly receive breach notifications from a variety of organizations such as retailers regarding credit card information being compromised," spokesman Tobi Cohen said, adding such incidents are common and can create the risk for credit card fraud and prompt banks to reissue credit cards.
He said it's a common practice for banks to decline to provide details about why they have reissued a particular card because they believe this could compromise their fraud prevention measures.