CIBC loses info on 470,000 Canadians

January 18, 2007

Sinclair Stewart

The personal information of nearly half-a-million customers at a CIBC mutual fund subsidiary has gone missing, prompting fears of a potential security breach and forcing the bank to spring into damage control mode.

A backup computer file containing application data for 470,000 investors at Montreal-based Talvest Mutual Funds disappeared in transit on the way to Toronto recently, the bank said in a news release Thursday.

The file contained everything from client names and addresses to signatures, birth dates, bank account numbers and Social Security numbers. Officials at CIBC Asset Management Inc., a division of the Canadian Imperial Bank of Commerce, said there is no evidence of fraud, nor is there any indication that any data on this hard drive has been accessed. The company did not explain how it lost the drive.

The bank said it has taken immediate steps to rectify the problem, and has written letters to affected customers. The vast majority of these are clients of Talvest, rather than CIBC, which bought the mutual fund company in 2001.

The bank has promised to compensate customers for any loss, and is allowing them to enroll in a free credit monitoring program that can alert them if someone is trying to use their information without proper authorization.

“Although we have no evidence that the information contained in the backup file has been accessed in any way, we are acting out of an abundance of caution and want to assure our clients that we are taking all steps possible to address this matter,” Steve Geist, president of CIBC Asset Management, said in a statement.

This is the second major security issue for Canadians in as many days. Wednesday, the U.S. retailer that owns discount chains Winners and HomeSense revealed it had been the victim of a massive computer hacking effort.

Sources told The Globe and Mail that the network break-in at TJX Cos. may have affected as many as 20-million Visa cards worldwide, and some estimates suggest as many as 2-million of these cards are Canadian. It's unclear how big that number will be for other card providers, like MasterCard, but the numbers suggest it could be one of the largest such breaches the country has ever seen, according to one person in the financial community. The RCMP is assisting U.S. authorities with that investigation.

The Talvest incident is another embarrassing episode on the privacy front for CIBC, which was at the centre of a faxing snafu in 2004. The bank sent errant faxes to a junkyard operator in West Virginia for three years, mistakenly divulging private customer information.

The junkyard operator eventually sued the bank for clogging his fax lines, and Canada's privacy commissioner launched an investigation. In a 2005 report, she expressed concern about a breakdown in privacy practices that could reflect a bigger problem in Canadian business.

main page ATTRITION feedback