Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach

PIPEDA Report of Findings #2015-007

April 13, 2015

---

Complaints under the Personal Information Protection and Electronic Documents Act (the “Act” or “PIPEDA”)

Complaint

1. On January 7, 2014, the Office of the Privacy Commissioner of Canada initiated a complaint, pursuant to subsection 11(2) of the Act, against Peoples Trust.
2. More specifically, based on information gathered prior to the commencement of our investigation, the then Interim Privacy Commissioner had reasonable grounds to investigate whether Peoples Trust was contravening:
   1. Principle 4.7 of Schedule 1 of the Act, by failing to implement safeguards that were appropriate in the circumstances, and
   2. Principle 4.5 of Schedule 1 of Act, by retaining individuals’ personal information for longer than necessary to fulfil its purposes.

Background

3. Peoples Trust is a federally regulated, privately owned trust company with headquarters in Vancouver, British Columbia.  It offers financial services including mortgages, deposits, and secured and prepaid credit cards through an online portal, telephone contact centre and physical locations located in Vancouver, Calgary and Toronto.
4. On October 7, 2013, Peoples Trust became aware of a possible breach after it received reports from eight customers who received text messages urging them to call Peoples Trust at a US telephone number (the “phishing texts”).  The texts did not originate from Peoples Trust and the number was not active.
5. A third-party consultant (the “Consultant”) hired by Peoples Trust confirmed the occurrence, cause and extent of the Breach (discussed in further detail below).  Peoples Trust then voluntarily reported the Breach to our Office on October 15, 2013.
6. In response to that notification, our Office engaged in a voluntary dialogue with Peoples Trust with a view to better understanding the cause and impact of the breach.
7. During the course of that dialogue, we received a number of complaints from individuals whose personal information had been compromised as a result of the incident. The allegations put forth by complainants largely pertained to the appropriateness of the safeguards implemented by Peoples Trust to protect customers’ personal information from unauthorized access or disclosure.
8. The then Interim Privacy Commissioner determined that, as outlined in paragraph 2 above, she had reasonable grounds to commence an investigation to address, in one Commissioner Initiated Investigation, the safeguards and retention issues raised in the complaints submitted to our Office by numerous individuals.

Summary of investigation

9. The facts as stated below are consistent with a statement of facts agreed upon with the respondent, and are based on representations and supporting documentation provided to our Office by Peoples Trust, including a report provided to Peoples Trust by its Consultant. We would like to highlight that the respondent was cooperative and responsive throughout our investigative process.

Details of “the Breach”

10. The Consultant identified that hackers accessed customer information contained in a Peoples Trust web database (the “breached database”), located on a “web server”, which held information entered by customers while applying for deposit or secured credit card products via the Peoples Trust online application portal (the “web portal”).
11. The breached database held the information of approximately 12,000 individuals, including customers and related third parties (e.g., guarantors and beneficiaries).  The information compromised for each affected individual generally included several of the following information elements: names, dates of birth (“DOB”), addresses, social insurance numbers (“SIN”), employment information, contact information, mother’s maiden name (for security question purposes), and in twelve cases, banking information from other financial institutions (for electronic funds transfer, “EFT”, purposes).  The type of information in the database for each individual depended on the type of product for which the customer had applied via the web portal.
12. Peoples Trust later discovered that another database on the web server, which held only out-of-date Peoples Trust account information, may also have been accessed, but the accounts contained in that database were no longer active.
13. The respondent’s internal banking system was isolated from the web server, with connection for email only, and there is no evidence that any information other than that on the web server was exposed.
14. It is not possible to determine exactly when the databases were first accessed as server logs were only available from September 8th, 2013, 30 days prior to the date of review by the Consultant.  In the review of available logs, the Consultant observed suspicious activity starting September 24th, 2013.  Peoples Trust has evidence, however, based on customer reports dating from October 3rd, 2013, that phishing texts were being received by its customers as early as September 18th, 2013. Peoples Trust is of the opinion, based on some non-customers receiving the phishing texts, that these earlier texts were probably unrelated to the compromise of the web server.

Circumstances Contributing to the Breach

15. In the fall of 2013, intruders accessed the breached database by exploiting a weakness in the Peoples Trust web portal.  More specifically, it was determined that the attackers were able to access the breached database via an obsolete and vulnerable web editor (i.e. an application used in design and maintenance of websites) that had been left unnecessarily on the web server. The web portal, originally designed by a third party hired by Peoples Trust in 2005, was redesigned early in 2013 by another third-party contractor.  That third-party web designer used a new web editor for management of the redesigned website, but left the previous web editor (the “old editor”) on the web server even though it was no longer required.  Peoples Trust explained that it was unaware that the old editor remained on the web server at the time of the breach.  As such, when a specific vulnerability in the old editor was widely publicized in February 2013, Peoples Trust took no steps to employ additional safeguards to prevent unauthorized access.  In fact, Peoples Trust was not aware of any updates having been implemented in respect of the old editor since its inclusion in the design of the original website in 2005.
16. The third party with whom Peoples Trust contracted to redesign its website and application portal had limited experience with respect to developing websites for the financial services industry.  Peoples Trust’s contract with that third-party did not stipulate any minimum information safeguards requirements.
17. The compromised information was stored on the web server so that it could be sent to the Peoples Trust internal banking system.  Application information was sent from the web server to Peoples Trust’s internal banking system immediately upon submission by the customer.  The submitted information was, however, also stored on the web server indefinitely in unencrypted format.  The breached database included unencrypted customer information from as far back as December 20, 2007.
18. During the period between 2005 (when the website was originally designed) and 2013 (when the Breach occurred), Peoples Trust did not carry out any follow-up monitoring or testing to identify potential vulnerabilities of the web portal or web server.
19. While Peoples Trust did have an internal security awareness training document to provide guidance with respect to some aspects of information safeguards for its employees, it did not have a comprehensive Information Security Policy, detailing how to handle and safeguard personal information, in place at the time of the Breach.

Breach Response

20. In addition to hiring the Consultant to analyse the cause and extent of the Breach, and notifying our Office, Peoples Trust has also undertaken steps to: contain the Breach; mitigate the risk to individuals whose information was compromised; and improve safeguards with a view to minimizing the risk of a future breach.

Containment

21. Peoples Trust, immediately upon confirming the Breach, took several steps to contain the Breach.  More specifically, Peoples Trust:
    1. took the web application portal and associated breached database off-line;
    2. purged all client information from the breached database;
    3. removed the old editor from the webserver;
    4. instituted regular checks to ensure that no client information was being stored in the breached database; and
    5. commenced accepting product applications only by telephone, until the web portal safeguards issues could be addressed.

Risk to Affected Individuals

22. Peoples Trust took the following steps to mitigate risk to individuals whose information was compromised as a result of the Breach:
    1. It altered authentication procedures to incorporate the use of identification information not exposed during the breach.
    2. The organization contracted with two major credit reporting agencies, Equifax and TransUnion, to place an alert on the credit file of each affected individual such that companies assessing the individual’s credit information could take additional precautions to verify identity.  Although individuals were not given the option to opt-out of the placement of this alert on their credit files, they are able to remove the alert at any time after placement by making a request directly to Equifax and/or TransUnion.  In absence of such a removal request, each alert will remain on the file for six years from the time of placement.
    3. Peoples Trust notified the financial institutions associated with the twelve individuals whose EFT banking information was compromised.
    4. The organization sent notification letters to each affected individual.  Letters were tailored to reflect the information exposed depending on the product for which the individual had applied.  Each letter identified: (i) the nature of the Breach; (ii) the information exposed; (iii) the potential risk of identity theft associated with such exposure; (iv) suggested strategies to mitigate the risk of fraud as well as a reference to Identify Theft resources on our Office’s website; (v) details of the alert placed on the individual’s credit file as well as how to have it removed; and (vi) contact information for the Peoples Trust Privacy Officer should individuals wish to raise any questions or concerns.

Risk of Future Breach

23. Finally, People’s Trust has implemented the following safeguards to mitigate against the risk of a future Breach:
    1. It has completely redesigned the architecture of its online application web portal:
       1. Application information is now sent directly by a “forms server”, in encrypted format, to an internal “intermediary server” before it is forwarded to a database on the “database server”.
       2. Application information is never stored on the forms server.
       3. The intermediary server protects the database by authenticating information before it reaches the database and by acting as a barrier to outside intrusion.
       4. General web content (e.g. brochures) is stored on a separate, segregated web server to allow for greater safeguard controls over the forms server.
    2. It has begun monitoring its online application system to identify and protect against future threats:
       1. Peoples Trust conducted a “penetration test” in November 2013 to identify any potential web server vulnerabilities.  No potential compromises were found.
       2. The web server is now monitored on a continuous basis by an automated system to identify potential vulnerabilities.  No material vulnerabilities have yet been identified.
       3. Peoples Trust has implemented a regular patching/updating schedule for web servers.
    3. It has developed and implemented an Information Security Policy to provide for specified standard safeguards in relation to: (i)  maintaining the confidentiality of customer information; (i) secure information storage; and (iii) safeguarding data on network storage devices.  That document has been communicated and made available to all Peoples Trust employees.   It has also created a Privacy Information Security Committee, comprised of senior management, which meets regularly to discuss information security issues.

Application

24. In making our determinations, we applied Principles 4.1.4, 4.5, 4.5.2, 4.5.3, 4.7, 4.7.1, 4.7.2, and 4.7.3 of Schedule I of the Act.
25. Principle 4.1.4 states that organizations shall implement policies and practices to give effect to the principles, including:(a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and, (d) developing information to explain the organization’s policies and procedures.
26. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.  Personal information shall be retained only as long as necessary for the fulfillment of those purposes. In particular, Principle 4.5.2 states, in part, that organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Principle 4.5.3 further states that personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.
27. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.  Principle 4.7.1 further states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.  Principle 4.7.2 provides, in part, that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.  More sensitive information should be safeguarded by a higher level of protection. Principle 4.7.3 also provides that the methods of protection should include: (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and, (c) technological measures, for example, the use of passwords and encryption.

Analysis

Safeguards and Related Accountability

28. In our view, Peoples trust did not implement adequate technological and organizational safeguards to protect the personal information provided to it by its customers for the purposes of processing online product applications.
29. The information compromised in the breach included sensitive personal information, such as financial information and/or detailed identification information (e.g., SIN, DOB, and security question answers) which could be used for purposes of phishing or identity theft.  As such, heightened safeguards should have been in place to protect such sensitive information against unauthorized access.
30. In our view, Peoples Trust failed to ensure adequate safeguards, commensurate with the sensitivity of the information at risk, in the development, implementation, and subsequent redesign of its web application portal.  It did not engage contractors with significant experience related to the design of financial services web applications, nor did it provide for minimum information security safeguard requirements in its contracts with such contractors.  As a result, customers’ sensitive personal information: (i) was stored unnecessarily, in duplicate form and in perpetuity, on a vulnerable server in unencrypted format; and (ii) was accessed via a vulnerable web editor, which was maintained unnecessarily on the web server, even after it had been rendered obsolete.
31. The respondent also failed to implement adequate monitoring and maintenance to ensure ongoing protection of personal information stored within its web server. It had no program in place to install regular updates to the web editor.  This resulted in a failure to install the specific update intended to address the well-publicized vulnerability that hackers appear to have exploited to perpetrate the breach.  The organization also lacked ongoing monitoring to detect potential security threats or weaknesses, and allow for proactive remediation before a potential breach occurs.  No such monitoring had been carried out since the website’s inception in 2005.
32. Finally, while Peoples Trust had an internal security policy providing guidance to employees with respect to information handling, the policy did not address the organization’s systems that may collect, use and disclose personal information.  As highlighted above, vulnerabilities in these systems, their development and ongoing monitoring contributed materially to the breach.
33. Ultimately, in our view, Peoples Trust’s personal information safeguards, and related procedures, were inadequate to protect the sensitive information which it needed to collect for the purposes of delivering its financial services, and therefore contravened Principles 4.7 and 4.1.4(a) of the Act.
34. We are, however, satisfied and pleased that, after our intervention, Peoples Trust has taken sufficient measures, not only to mitigate the risk to affected individuals but also to mitigate the risk of a future breach.  More specifically, the organization implemented substantial enhancements: (i) to mitigate the risk of affected individuals (via notice, credit alerts, etc.); (ii) to redesign its web portal to better protect against breach of application-related information; (iii) to augment monitoring and maintenance to ensure the continued effectiveness of its newly implemented safeguards; and (iv) to implement comprehensive policies and procedures to ensure that privacy is factored into the development of future system enhancements.

Retention

35. Our investigation determined that all data submitted by customers via the online application portal was stored on the web server unnecessarily, in duplicate and in perpetuity.  As the information was being retained on the web server without the organization’s knowledge, it clearly fell outside the scope of the organization’s retention policies and schedules.  Moreover, the information should not have been retained at all once it had been transferred to the organization’s secure internal banking system. Therefore it was clearly retained for longer than necessary.  If the information had not been on the web server, it would not have been compromised during the breach.
36. We therefore find that Peoples Trust’s retention of this inactive account information was a contravention of 4.5 of Schedule I of the Act.
37. We are, however, satisfied that changes implemented by the organization during the course of our investigation, including a change such that data is transferred directly and securely to the bank’s internal systems without ever being stored on the web server, have adequately addressed our Office’s concerns with respect to retention.

Conclusion

38. In our view, Peoples Trust had inadequate safeguards, and related procedures, to protect customers’ sensitive personal information collected via its online application web portal and stored on its web server.  The organization also retained such information, outside the scope of its retention policies, for longer than necessary for its purposes.
39. We also recognize, however, that following our intervention, Peoples Trust has taken significant timely and positive action to address the concerns we identified, both in the context of our pre-investigation dialogue and during the course of our Commissioner Initiated Investigation.  Remedial action included: (i) a comprehensive strategy to mitigate the risk to individuals affected by the breach; (ii) the cessation of unnecessary retention of customers’ personal information on the web server; (iii) enhanced safeguards, and related procedures, to protect information collected via the web portal; and (iv) more fulsome procedures to support the development of privacy protective practices in future.
40. Accordingly, we conclude that the matter is well-founded and resolved.