[ISN] CIBC loses info on 470,000 Canadians

From: InfoSec News (alerts@private)
Date: Thu Jan 18 2007 - 22:32:57 PST


Globe and Mail Update

The personal information of nearly half-a-million customers at a CIBC 
mutual fund subsidiary has gone missing, prompting fears of a potential 
security breach and inciting an investigation from Canada's federal 
privacy commissioner.

A backup computer file containing application data for 470,000 investors 
at Montreal-based Talvest Mutual Funds disappeared in transit on the way 
to Toronto recently, the bank said in a news release Thursday.

The file contained everything from client names and addresses to 
signatures, birth dates, bank account numbers and Social Insurance 
Numbers. Officials at CIBC Asset Management Inc., a division of the 
Canadian Imperial Bank of Commerce, said there is no evidence of fraud, 
nor is there any indication that any data on this hard drive has been 
accessed. The company did not explain how it lost the drive.

Privacy Commissioner Jennifer Stoddart, who launched a probe of CIBC 
following a faxing snafu two years ago, said she has determined there 
are grounds for another investigation in the Talvest matter, even though 
the bank brought the problem to her attention.

Although I appreciate that the bank notified us of this incident and 
that it is working cooperatively with my office, I am nevertheless 
deeply troubled, especially given the magnitude of this breach, which 
puts at risk the personal information of hundreds of thousands of 
Canadians, said Ms. Stoddart. My office is committed to carrying out a 
thorough investigation into this matter and to ensuring that preventive 
and corrective measures are put in place so that this does not reoccur.

The bank said it has taken immediate steps to rectify the problem, and 
has written letters to affected customers. The vast majority of these 
are clients of Talvest, rather than CIBC, which bought the mutual fund 
company in 2001.

The bank has promised to compensate customers for any loss, and is 
allowing them to enroll in a free credit monitoring program that can 
alert them if someone is trying to use their information without proper 

Although we have no evidence that the information contained in the 
backup file has been accessed in any way, we are acting out of an 
abundance of caution and want to assure our clients that we are taking 
all steps possible to address this matter, Steve Geist, president of 
CIBC Asset Management, said in a statement.

This is the second major security issue for Canadians in as many days. 
Wednesday, the U.S. retailer that owns discount chains Winners and 
HomeSense revealed it had been the victim of a massive computer hacking 

Sources told The Globe and Mail that the network break-in at TJX Cos. 
may have affected as many as 20-million Visa cards worldwide, and some 
estimates suggest as many as 2-million of these cards are Canadian. It's 
unclear how big that number will be for other card providers, like 
MasterCard, but the numbers suggest it could be one of the largest such 
breaches the country has ever seen, according to one person in the 
financial community. The RCMP is assisting U.S. authorities with that 

The Talvest incident is another embarrassing episode on the privacy 
front for CIBC, which was at the centre of a faxing snafu in 2004. The 
bank sent errant faxes to a junkyard operator in West Virginia for three 
years, mistakenly divulging private customer information.

The junkyard operator eventually sued the bank for clogging his fax 
lines, and Canada's privacy commissioner launched an investigation. In a 
2005 report, she expressed concern about a breakdown in privacy 
practices that could reflect a bigger problem in Canadian business.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 18 2007 - 22:58:36 PST