B
bizorky
Guest
Probes launched into data security breaches
SINCLAIR STEWART
From Friday's Globe and Mail
The federal Privacy Commissioner has launched separate investigations into a pair of massive security breaches that could potentially compromise the personal information of millions of Canadian investors and credit card users.
The probes were confirmed Thursday, after Canadian Imperial Bank of Commerce revealed that one of its mutual fund subsidiaries lost a backup computer file containing personal data for 470,000 investors. The hard drive was lost in transit from the Montreal office of Talvest Mutual Funds, and may have contained everything from social insurance numbers and addresses to signatures, birthdates and bank account numbers, although CIBC said there is no indication that the data have been improperly accessed.
The CIBC gaffe came just one day after U.S. retailer TJX Cos., whose chains include Winners and HomeSense, said it had been victimized by a hacker who repeatedly broke into its network and stole customer data. The two incidents were unrelated.
Some reports have suggested that more than 40 million credit cards were exposed by the TJX break-in, which would make it one of the largest such incidents to hit North America. Sources said Visa alone is informing partners that 20 million of its cards could be affected, and there are estimates in the financial community that between one million and two million Canadian cards issued by banks and other institutions could have been left vulnerable by the breach. Visa would not confirm the numbers.
“They both clearly involve a significant amount of personal information and a lot of people,†said Anne-Marie Hayden, a spokeswoman for the Office of the Privacy Commissioner.
“Any breach having an impact on this many people is of concern to our office.â€
Ms. Hayden said Privacy Commissioner Jennifer Stoddart is “deeply troubled†by the sudden rash of security problems, and by the fact that this is the second time she has launched a probe of CIBC in the past few years. In 2004, she investigated the bank for sending errant faxes to a West Virginia junkyard, and mistakenly divulging private customer information. Ms. Stoddart determined there was a “serious breakdown in CIBC's privacy policies,†and recommended a host of safeguards that the bank implemented.
“The commissioner is concerned that once again there's an issue involving CIBC,†Ms. Hayden said. CIBC brought the matter to the commissioner's attention late last month, after the hard drive went missing.
Identity theft experts said the two cases should serve as a wake-up call for Canadians, and perhaps make them more vigilant about checking their statements and credit reports for signs of improper activity.
“Canadians should be concerned. Should we all become paranoid? Well, maybe a little bit of paranoia is good,†said Milena Head, a McMaster University professor who specializes in privacy and e-commerce issues. “For Canada, this is a big eye-opener . . . I think this order of magnitude that we've seen in the last few days will really hit home with Canadians.â€
There are some clear differences between the TJX incident and the missing hard drive at CIBC's Talvest unit. At TJX, a hacker appears to have stolen information. At CIBC, however, officials say there is no evidence of any fraud in customer accounts. Sources close to the internal probe at CIBC say investigators are examining all angles, but are considering the strong likelihood that the hard drive was misplaced through human error.
Even if that proves to be the case, experts said financial institutions must do a better job of safeguarding information.
“Too many are still using physical means to ship information, sometimes unencrypted,†said Jacob Jegher with consulting firm Celent LLC. “Organizations need to start realizing that an ounce of prevention is worth a pound of cure.â€
CIBC has promised to compensate customers for any loss, and is allowing them to enroll in a free credit monitoring program that can alert them if someone is trying to use their information without proper authorization.
Most of the clients are from Talvest, not CIBC, which acquired the mutual fund company in 2001.
SINCLAIR STEWART
From Friday's Globe and Mail
The federal Privacy Commissioner has launched separate investigations into a pair of massive security breaches that could potentially compromise the personal information of millions of Canadian investors and credit card users.
The probes were confirmed Thursday, after Canadian Imperial Bank of Commerce revealed that one of its mutual fund subsidiaries lost a backup computer file containing personal data for 470,000 investors. The hard drive was lost in transit from the Montreal office of Talvest Mutual Funds, and may have contained everything from social insurance numbers and addresses to signatures, birthdates and bank account numbers, although CIBC said there is no indication that the data have been improperly accessed.
The CIBC gaffe came just one day after U.S. retailer TJX Cos., whose chains include Winners and HomeSense, said it had been victimized by a hacker who repeatedly broke into its network and stole customer data. The two incidents were unrelated.
Some reports have suggested that more than 40 million credit cards were exposed by the TJX break-in, which would make it one of the largest such incidents to hit North America. Sources said Visa alone is informing partners that 20 million of its cards could be affected, and there are estimates in the financial community that between one million and two million Canadian cards issued by banks and other institutions could have been left vulnerable by the breach. Visa would not confirm the numbers.
“They both clearly involve a significant amount of personal information and a lot of people,†said Anne-Marie Hayden, a spokeswoman for the Office of the Privacy Commissioner.
“Any breach having an impact on this many people is of concern to our office.â€
Ms. Hayden said Privacy Commissioner Jennifer Stoddart is “deeply troubled†by the sudden rash of security problems, and by the fact that this is the second time she has launched a probe of CIBC in the past few years. In 2004, she investigated the bank for sending errant faxes to a West Virginia junkyard, and mistakenly divulging private customer information. Ms. Stoddart determined there was a “serious breakdown in CIBC's privacy policies,†and recommended a host of safeguards that the bank implemented.
“The commissioner is concerned that once again there's an issue involving CIBC,†Ms. Hayden said. CIBC brought the matter to the commissioner's attention late last month, after the hard drive went missing.
Identity theft experts said the two cases should serve as a wake-up call for Canadians, and perhaps make them more vigilant about checking their statements and credit reports for signs of improper activity.
“Canadians should be concerned. Should we all become paranoid? Well, maybe a little bit of paranoia is good,†said Milena Head, a McMaster University professor who specializes in privacy and e-commerce issues. “For Canada, this is a big eye-opener . . . I think this order of magnitude that we've seen in the last few days will really hit home with Canadians.â€
There are some clear differences between the TJX incident and the missing hard drive at CIBC's Talvest unit. At TJX, a hacker appears to have stolen information. At CIBC, however, officials say there is no evidence of any fraud in customer accounts. Sources close to the internal probe at CIBC say investigators are examining all angles, but are considering the strong likelihood that the hard drive was misplaced through human error.
Even if that proves to be the case, experts said financial institutions must do a better job of safeguarding information.
“Too many are still using physical means to ship information, sometimes unencrypted,†said Jacob Jegher with consulting firm Celent LLC. “Organizations need to start realizing that an ounce of prevention is worth a pound of cure.â€
CIBC has promised to compensate customers for any loss, and is allowing them to enroll in a free credit monitoring program that can alert them if someone is trying to use their information without proper authorization.
Most of the clients are from Talvest, not CIBC, which acquired the mutual fund company in 2001.