Story Tools: PRINT | Text Size: S M L XL | REPORT TYPO | SEND YOUR FEEDBACK

In Depth

Identity theft

When companies lose customer data

Last Updated January 26, 2007

It's only January, but spectacular privacy lapses by a few previously trusted corporations have already made 2007 a wary New Year for many Canadians.

Identity theft is a booming industry. (CBC)

On Jan. 26, less than a week after a major security breach affecting Winners and HomeSense stores in Canada, clothing retailer Club Monaco revealed that the RCMP is investigating whether customer credit information has been compromised. Company spokespersons say the possible breach is limited to its Canadian arm. Since the investigation is currently in progress, no further details are available. Club Monaco operates 28 locations in Canada.

On Jan. 18, TJX Cos., the parent company of Winners and HomeSense, revealed that computer hackers stole reams of customer information, including credit card numbers, from their database. Hours later, CIBC announced that it lost a file containing the confidential information of almost a half-million Talvest Mutual Funds clients.

Further compounding CIBC's embarrassment is the Jan. 26 revelation that Canada's privacy commissioner had to force the bank to announce the security lapse.

While CIBC spokespeople say there is no indication the data has been "inappropriately accessed," the loss of so much sensitive information may yet pose serious problems for any of the 470,000 clients whose names are in that file. The sheer scale of the CIBC incident puts it pretty high up the list of Canadian corporate security miscues.

In fact, it is not the first time that the CIBC has been at the forefront of corporate privacy lapses.

From 2001 to 2004, CIBC sent hundreds of faxes containing confidential customer information to a scrapyard in West Virginia.

Wade Peer, the scrapyard owner, claims he called CIBC several times to notify them he was receiving the faxes, which included names, account numbers, social security numbers and detailed account information. According to Peer, the bank said it was "his problem" and the faxes kept coming.

The faxes originated from CIBC branches across the country and were meant to be transmitted to the bank's central faxing unit, which had a similar number to Peer's.

Luckily for CIBC customers, Peer proved to be a trusty soul. He called a number of customers to notify them of the problem and he kept all the faxes under lock and key. None of the personal information was used for fraudulent purposes.

A wake-up call

Federal Privacy Commissioner Jennifer Stoddart investigated and determined that the CIBC breach represented a serious breakdown in corporate practices — and should sound the warning bell for other organizations that customer privacy is not to be taken lightly.

She called on CIBC to revamp its policies and chastized the bank for not alerting its customers about the breach until after the matter became public.

"The bank's privacy practices were seriously tested by these incidents and they failed," Stoddart said in her report.

"These incidents are a wake-up call to not only CIBC but to every organization in Canada that collects, uses or discloses personal information in the course of its commercial activities."

Ron Lalonde, the bank's chief privacy officer, agreed with Stoddart.

"The report identified shortcomings in the implementation of our privacy policy relating to these incidents and recommended that CIBC assess its policies and privacy management procedures and implement action plans to address deficiencies," he wrote in an internal memo.

In response to Stoddart's report, CIBC introduced new measures to revamp its internal security. The bank temporarily put the brakes on any faxes while it devised a new secure fax dialing system. In December 2004, the bank created a National Privacy Office to manage a new national database to track privacy issues.

Stoddart has since commenced a new inquiry into CIBC's Talvest case, which is potentially more serious because the bank doesn't know where the data is.

She also expressed concern over the number of people that could be affected.

Finance Minister Jim Flaherty has also become involved the matter, which has left customers and critics fuming.

NDP finance critic Judy Wasylycia-Leis blasted CIBC for the possibility that the bank might not have gone public without being forced.

"That makes this even more horrific," Ms. Wasylycia-Leis told reporters. "If Canadians think the banks will only comply with certain standards of decency under duress from Parliament, then we've got a serious problem on our hands."

Identity theft on the rise

At this point, it's not known whether CIBC's file has fallen into the wrong hands, but the threat is very real. Identity theft is a booming industry.

In 2005, PhoneBusters reported 11,231 identity theft complaints in Canada, amounting to $8,575,593.98 in losses, making this crime the fastest-growing form of consumer fraud in North America.

The security breach at TJX Cos. also could affect millions of customers. Since the company operates major chain retailers across North America and abroad.

The company admitted that customers in Britain, Ireland and Puerto Rico could also be affected, although it declined to offer specifics.

Further compounding the embarassment is TJX Co.'s revelation that the breach actually occurred in May of 2006, but wasn't discovered until December. Company spokeswoman Debra McConnell would not go so far as to say how many customers were at risk from the breach, only allowing that it was a limited number.

But her definition of "limited" was also vague. "By 'limited' we mean substantially less than millions," she said.

However, McConnell's estimation doesn't jibe with current reports. Less than a week after TJX's announcement, the Masschussetts Banking Association reported that the stolen information had already been used to make illicit purchases in several U.S. states as well as Sweden and Hong Kong.

The Globe and Mail reported financial sources saying that the stolen information could affect as many as 20 million credit and debit card accounts worldwide. Canadians have been lucky though; as of January 25, officials at Royal Bank, Bank of Montreal, and TD Bank all told CBC News that they have seen no cases of fraud resulting from the TJX breach.

CBC story: Canadian banks say no signs of credit card fraud victims after Winners breach

Security slip-ups from 2006

Complete statistics for 2006 aren't yet available, but it was a good year for hackers and other information thieves, a year in which thousands of Canadians were left exposed by breaches in corporate security.

Here are some of the lowlights in corporate security gaffes from 2006:

Sept. 22: hackers steal personal information — including credit card and bank account numbers — of donors to Brock University after breaking into school computers.

June 20: Credit reporting agency Equifax Canada reveals the theft of 2,000 credit files, the third such fraud to hit Equifax in as many years. In 2005, cyber-thieves rifled the information of another 600 customers, while 1,400 credit files were stolen from company computers in 2004.

June 19: thieves grab a laptop belonging to an MD Management LTD. employee who left the machine in a parked car at the West Edmonton Mall. The stolen computer contains financial information on 8,000 clients.

May 18: Bank of Montreal warns clients to monitor their accounts after a laptop containing personal information on more than 900 customers was stolen from an Ottawa branch earlier in the month.

Go to the Top

More on identity theft

In depth

Protecting your personal information
Sc@mmed: Inside the world of online identity theft from Marketplace

CBC stories

Ottawa police break up major identity theft ring
March 9, 2006
Identity theft ring broken up
March 17, 2006

External Links

RCMP: Identity theft
SafeCanada.ca
Office of the Privacy Commissioner of Canada: Identity theft

(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)

More on credit ratings

External Links

Equifax Consumer Services Canada
TransUnion Canada

(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)

[an error occurred while processing this directive] [an error occurred while processing this directive]
Story Tools: PRINT | Text Size: S M L XL | REPORT TYPO | SEND YOUR FEEDBACK

World »

302 Found

Found

The document has moved here.

more »

Canada »

302 Found

Found

The document has moved here.

more »

Politics »

302 Found

Found

The document has moved here.

more »

Health »

302 Found

Found

The document has moved here.

more »

Arts & Entertainment»

302 Found

Found

The document has moved here.

more »

Technology & Science »

302 Found

Found

The document has moved here.

more »

Money »

302 Found

Found

The document has moved here.

more »

Consumer Life »

302 Found

Found

The document has moved here.

more »

Sports »

[an error occurred while processing this directive] 302 Found

Found

The document has moved here.

more »

Diversions »

[an error occurred while processing this directive]
more »