This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Bank’s lack of accountability leaves possible data breach a mystery
Privacy Commissioner’s Office satisfied with CIBC actions to correct deficiencies in the bank’s security policies and procedures related to the handling of personal information
Ottawa, November 27, 2008 — Close to half a million people will likely never know whether their personal information was compromised in a data breach at the Canadian Imperial Bank of Commerce (CIBC), according to the Office of the Privacy Commissioner of Canada.
The Commissioner began investigating after the bank informed her about the disappearance of a hard drive containing the personal information and financial data of some 470,000 clients of Talvest Mutual Funds, which were at that time a family of CIBC Mutual Funds. There was also significant public and media interest in the matter.
The investigation revealed that the bank could not confirm whether that personal information was ever transferred to a hard drive in the first place.
“I am troubled that CIBC has been unable to establish whether a data transfer to a portable disk drive had even been made,” says Assistant Commissioner Elizabeth Denham.
As part of a server consolidation project, CIBC transferred Talvest files from Montreal to its Toronto-area computing centre in December 2006. The files of 470,752 accounts of current and former Talvest clients variously contained client names, addresses, signatures, dates of birth, bank account numbers, beneficiary details, and social insurance numbers.
Officials decided the amount of data being transferred was too large to permit a transfer over an internal network, which was the bank’s normal practice. Instead, CIBC decided to copy the files onto two identical disk drives – one to be sent by land, the other by air.
While the air-shipped package arrived without incident, the land-shipped package was opened and found to be empty. There was no sign the empty package had been tampered with.
CIBC alerted both the Privacy Commissioner’s Office and the police after a thorough search failed to turn up the drive. To date, the missing disk drive has not turned up.
There is no evidence that personal information on the drive has been improperly accessed and misused. Also noteworthy is the fact that the courier who picked up the land-shipped package in Montreal had noticed it was extremely light and asked whether there was anything inside it.
CIBC now considers it highly possible that the package was empty all along. Unfortunately, it is impossible to be certain of this conclusion because CIBC’s computer systems didn’t track whether, when, and by whom copies of data onto portable storage devices were made. There was also a lack of supervision of the data transfer process.
“If CIBC had followed its policies and processes or had a technical means to determine whether the transfer to a second disk drive had actually taken place, quite possibly, no further action would have been necessary,” says Ms Denham. “Whether or not the personal information of more than 470,000 people was transferred to a disk drive should not be a mystery.
The OPC’s investigation also raised concerns about the fact that personal information being sent had not been encrypted given the potential for the data to be accessed and viewed by unauthorized parties. CIBC has since adopted a policy which requires information to be encrypted if it must travel outside the bank.
The bank has also put in place a number of remedial measures to address a number of other deficiencies in the content and the application of its security policies and procedures, notably those relating to the handling and movement of confidential information.
Overall, the Assistant Commissioner was satisfied with CIBC’s response. Although the complaint – initiated by the Commissioner – was well-founded, it was considered resolved.
It is important for companies to notify the OPC about data breaches involving personal information. The OPC’s breach notification guidelines are available online at www.priv.gc.ca.
A more detailed summary of the investigative findings in the CIBC-Talvest incident is also available on the OPC Web site.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
— 30 —
For more information and/or media interview requests, contact:
Office of the Privacy Commissioner of Canada
Tel: (613) 995-0103
- Date modified: