Financial institution reacts quickly to mass-mailing error

Incident Summary #11

February 19, 2016

Lessons Learned

  • Organizations conducting mass mail-outs of personal information, such as financial institutions during income tax season, should be aware that mistakes can happen and should take precautions to ensure that printing or mailing errors do not occur.  They should also have systems and policies in place to respond to any errors, if they do occur.
  • When dealing with mailing error situations, organizations should notify the recipients of the misdirected mail and, in order to reduce the likelihood of misuse, direct the recipients to either destroy or return the misdirected mail, and not to disclose this confidential information sent to them in error. In addition, organizations should notify the individuals whose tax information was misdirected in order to allow these individuals to raise concerns about possible identity theft.  Such organizations should review their internal policies and procedures to reduce the risk of future errors.

Incident

An individual received his RRSP tax contribution statement in the mail from his financial institution, which normally includes three copies of identical information (one copy for federal government, one for provincial government and one for the individual).  However, the individual noticed that one of the copies contained the information of an entirely different individual, including that person’s name, address, account number, RRSP contribution amount and social insurance number.

The financial institution reported the security breach to our Office, indicating that it was caused by a production error.  A few hundred other incorrect statements had been mailed to other clients as well. 

The financial institution promptly assembled its breach response team to assess the situation.  An investigation into the incident revealed that at one point during an automated printing of the statements, the cut-off point between each individual’s record and the next one was misaligned.  Each record was in effect truncated and separated from the next at the wrong place.  As a result, some statements contained information of a second individual, whose record followed in the series.

Outcome

After becoming aware of the incident, the financial institution:

  • notified clients who were affected and apologized;
  • provided them with new statements;
  • advised them that the bank was increasing the monitoring of their accounts; and
  • offered them complimentary credit alert monitoring with a credit reporting agency.

The financial institution also asked clients to destroy the incorrect tax statements they received.  In cases where clients decided to surrender their incorrect statement to one of the financial institution’s branches, branch employees were instructed to ensure their proper destruction.

In addition, the financial institution reviewed its internal procedures and controls.  New and enhanced controls were implemented to ensure adequate safeguards were in place to reduce the risk of a similar incident in the future.

Date modified: