Posted on 01/19/2007 6:17:15 AM PST by APRPEH
A backup drive gone missing leads the Privacy Commissioner of Canada to start its second investigation into the practices of one of the country's largest financial institutions. The bank explains its crisis management strategy.
CIBC is facing an investigation by federal Privacy Commissioner Jennifer Stoddart’s office following the loss of a backup drive containing personal and financial data on 470,000 customers of its subsidiary Talvest Mutual Funds.
The bank said it had no reason to believe information on the drive, which went missing while in transit between two offices, had been inappropriately accessed so far. The drive contained client names, signatures, addresses, signatures, date of birth, bank account numbers, beneficiary information and social insurance numbers, CIBC said. Talvest has retained original copies of the files on its secure Web site, the bank added.
CIBC spokesperson Rob McLeod said the drive also contained “information relating to the process used to open and administer the accounts,” but refused to provide more information while the police investigate. He said it did not contain passwords as such.
CIBC first learned of the missing drive close to the Christmas holidays last month, McLeod added.
“The intervening period has been spent cataloguing the information we knew was on file,” he said. “We have notified the Privacy Commissioner, developed a list of clients, and we were also developing communication materials and processes to communicate with clients.”
CIBC Asset Management, which handles the Talvest fund, has sent a letter to clients letting them know about the incident and has promised to compensate them for any monetary loss that directly comes from it. The bank has also set up a call centre and Web site to deal specifically with enquiries and will allow clients to enroll in a credit monitoring service to track any account abuses at no charge.
In a public statement, Stoddart said she was “deeply troubled” given “the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians.” Office of the Privacy Commissioner spokeswoman Anne-Marie Hayden noted that, as part of the five-year review of the Personal Information Protection and Electronic Documents Act, advocates have proposed legislation that would require companies to notify the public about a breach in a timely manner.
“When they contacted us before the holidays, the bank thought there may be a problem, but they thought they could possibly recover the information,“ Hayden said. “The people affected have to be informed in an appropriate way. Going out too early could confuse the situation.”
This is not the first time CIBC has been embroiled in a privacy-related controversy. In 2004, the bank was subject to a four-month investigation into a complaint by West Virginia scrapyard owner Wade Peer, who said he had been receiving faxes from CIBC containing confidential data for three years. After several failed attempts to notify CIBC of the problem, Peer contacted a customer listed on one of the faxes in 2002, who informed his bank manager and CIBC customer care of the problem. The bank, however did not follow up with Peer to ensure that faxing had ceased or that the documentation had been destroyed, the report from Stoddart’s office found.
Since then, the CIBC set up a Microsoft SQL Server-based database to track privacy issues and established a National Privacy Office in December of 2005. At the time, CIBC said it was developing a process to identify, assess and deal with potential issues and concerns and implementing short and long-term solutions to prevent future mishaps.
And that's going to help calm their clients how?
This was a breach of data security 101. Online data is becoming so secure, that data thieves are resorting to physical theft of devices, malicious insiders, and social engineering in an ever increasing manner. People are getting so intent on preventing front door attacks that the data thieves are waltzing in the back door and helping themselves to secured data right behind their backs. Chances are that some ethically challenged employee just wanted the drive for their own use, and have no plans for malicious use of the data, but you never know.
I completed an analysis a few months back where someone was able to make off with over 6 GB worth of data over a several week period using a 1 GB thumb drive. This will almost certainly result in irreparable damage to the company that it happened to, and was easily preventable. Their internal security was so lax, that even though they know who did it, it will be nearly impossible to prove. They had spent thousands of dollars last year in jacking up their front end security, but yet left the back door wide open for anyone with a medium level of know how to steal them blind.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.