CIBC's Talvest data breach a mystery, probe finds
TORONTO (Reuters) - Close to 500,000 customers of Canadian Imperial Bank of Commerce's Talvest mutual funds unit will never know if their personal data was accessed by outsiders, a nearly two-year investigation has concluded.
Canada's Office of the Privacy Commissioner, which launched an investigation in January 2007 after a hard drive containing Talvest customer information apparently disappeared, said on Thursday that due to deficient security policies and procedures, it was unclear whether the data had ever been transferred on to the hard drive in the first place.
A package that was presumed to contain the drive arrived empty at a CIBC computing center in Markham, Ontario, north of Toronto, in December 2006, with no sign of tampering.
Police and internal bank investigations failed to turn up the disk, and there has been no evidence of unauthorized access to affected clients' accounts, the privacy commissioner's report says.
"I am troubled that CIBC has been unable to establish whether a data transfer to a portable disk drive had even been made," Assistant Commissioner Elizabeth Denham said in a statement released on Thursday.
The privacy commissioner's office also raised concerns about the length of time it took the bank to alert police and customers about the potential breach, but determined that the 33 days that elapsed before clients were notified was "reasonable," given the number affected and effort required.
The bank "offered no explanation" for the apparent 24-day delay in notifying Montreal police, the report said.
As part of a server consolidation project, CIBC planned to transfer Talvest files containing information on 470,752 current and former Talvest client accounts from Montreal to the Toronto-area computing center in December 2006.
Those files contained client names, addresses, signatures, dates of birth, bank account numbers, beneficiary details, and social insurance numbers. Continued...