Permanent verification controls put in place to prevent accidental disclosure of personal information when printing credit cards and accompanying letters for clients

Incident Summary #6

Incident

A financial service provider reported that a corrupt data file used in the printing of replacement credit cards during a mail-out caused a series of cards and accompanying letters to erroneously include some personal information belonging to the provider's other cardholders.

Outcome

The service provider reported that 14,000 individuals were affected and the personal information involved were the names and pre-approved credit limits of other cardholders.

The service provider explained to our Office that it was in the process of issuing replacement credit cards to a select number of cardholders. In the process of replacing these credit cards, an error in the printing code bumped cardholders' names to the next line of characters, causing them to be associated with other cardholders' information. As a result, plastic credit cards and letters to individuals contained the wrong names and the wrong pre-approved credit limits.

The service provider indicated that they planned to notify individuals affected by the incident in letters accompanying the replacement cards. It also reported that all affected credit cards had been rendered inoperative. Additionally, the service provider reported that full fraud protection was guaranteed to all cardholders at all times and was not restricted to those who may have fallen victim to fraud as a result of the breach; victims would not be held accountable for fraudulent charges incurred by third parties. It stressed that all individuals impacted by this incident were from the same pool of cardholders. The service provider indicated to our Office that additional permanent verification controls had been put into place for all future printing.

Final Comment

In the course of reporting this incident to our Office, the service provider demonstrated that it had taken many positive steps to mitigate both risks to individuals and risks of recurrence of similar incidents.

Date modified: