"The freezing of Mr. Oudivikine's card was the result of his card being skimmed. It had nothing to do with the privacy issue," McLeod said.
The Toronto Star
May 21, 2005
Another privacy breach at CIBC
Ellen Roseman
Imagine this. You're facing an income tax audit and ask your bank for a list of your account transactions for a 20-month period.
You open the envelope you're given and find much more than you asked for. There are details of account activity for more than 100 other customers over the same period.
What do you do?
The customer in question called On Your Side and gave us the story.
But first, he called the Office of the Privacy Commissioner of Canada and handed over the personal information he'd received in error.
He also called the bank, CIBC, which was already under attack for sending unsolicited faxes with customers' personal information to a company in the United States and another in Quebec.
Andrei Oudivikine has been a CIBC customer for nine years, since he emigrated to Canada from Russia. He also worked for the bank for about a year in computer systems. He says he asked CIBC for his transactions late last year, but only got the envelope in February.
The bank says it took action as soon as it was notified of the privacy breach on Feb. 24, 2005.
"We immediately began contacting all the customers whose information had been attached in error to the document we gave Mr. Oudivikine," spokesman Rob McLeod told us. "We also contacted the Privacy Commissioner over this matter."
Social insurance numbers were not disclosed, he pointed out. (SINs make it easier for criminals to commit identity theft.) Customers were told they could change account numbers if they wanted.
"We determined that the risk of fraud was virtually non-existent based on the limited amount of information that was contained in these documents," McLeod added.
Oudivikine says the information he saw included details on customers' deposits and withdrawals, interest paid and average daily balances.
Since they were all clients at a CIBC branch near Bathurst St. and Steeles Ave., a neigbourhood popular with Russian immigrants, he recognized several names.
"We have been in very regular correspondence with Mr. Oudivikine by email since he first made us aware of this issue in February," McLeod says.
Last month, Oudivikine had another problem. He found an unauthorized withdrawal of $1,000 from his chequing account, leading to a temporary block on his convenience card.
"The freezing of Mr. Oudivikine's card was the result of his card being skimmed. It had nothing to do with the privacy issue," McLeod said.
Later, he was reimbursed for the unauthorized withdrawal and his card was unblocked.
We wondered how a customer who asked for his own account activity would get 35 pages worth of information about other customers' account activity.
"When these transaction journals are printed off at our processing centre, they can contain information about other accountholders," McLeod explained. "Prior to their being delivered to customers at the branch, the information that does not relate directly to the customer making the request is removed. Unfortunately, that did not happen in this case."
McLeod said "aggressive steps" are being taken to prevent this happening again:
- Reports sent to the branches now have a large cover sheet attached, advising branch staff to review them before giving them to customers.
- Information going directly to the customer from the processing centre is double-checked manually before it's mailed out.
- A notice has been sent to CIBC front-line staff, telling them about the error in Oudivikine's case and the preventive measures being implemented.
"Longer-term, we're looking at a technology solution that permits us to print off only the requested transaction journals," McLeod said.
It seems CIBC is still working on systems to make employees aware of the sensitive nature of privacy issues.
"The bank's privacy practices were seriously tested by these incidents and they failed," the privacy commissioner said in a news release last month about the misdirected faxes.
The privacy breaches were "deeply disturbing," the privacy commissioner said, because they occurred over a number of years (2001 to 2004) and the bank was ineffective in trying to stop the problems.
Moreover, CIBC made no effort to advise customers about the disclosure of personal information until after the story became public last November and the privacy commissioner's investigation had been launched.
Ted Speevak, a customer whose information went astray, has started a class-action suit against CIBC in the case of the misdirected faxes. The statement of claim is available at http://www.cacounsel.com.
Brought to you by WikidFranchise.org
Risks: Canadian Imperial Bank of Commerce, CIBC, Banks, Office of the Privacy Commissioner of Canada, Privacy breaches a prerequisite for fraud, Very unusual coincidence, Canada, 20050521 Another privacy
