TORONTO (Reuters) - Close to 500,000 customers of Canadian Imperial Bank of Commerce’s Talvest mutual funds unit will never know if their personal data was accessed by outsiders, a nearly two-year investigation has concluded.
Canada’s Office of the Privacy Commissioner, which launched an investigation in January 2007 after a hard drive containing Talvest customer information apparently disappeared, said on Thursday that due to deficient security policies and procedures, it was unclear whether the data had ever been transferred on to the hard drive in the first place.
A package that was presumed to contain the drive arrived empty at a CIBC computing center in Markham, Ontario, north of Toronto, in December 2006, with no sign of tampering.
Police and internal bank investigations failed to turn up the disk, and there has been no evidence of unauthorized access to affected clients’ accounts, the privacy commissioner’s report says.
“I am troubled that CIBC has been unable to establish whether a data transfer to a portable disk drive had even been made,” Assistant Commissioner Elizabeth Denham said in a statement released on Thursday.
The privacy commissioner’s office also raised concerns about the length of time it took the bank to alert police and customers about the potential breach, but determined that the 33 days that elapsed before clients were notified was “reasonable,” given the number affected and effort required.
The bank “offered no explanation” for the apparent 24-day delay in notifying Montreal police, the report said.
As part of a server consolidation project, CIBC planned to transfer Talvest files containing information on 470,752 current and former Talvest client accounts from Montreal to the Toronto-area computing center in December 2006.
Those files contained client names, addresses, signatures, dates of birth, bank account numbers, beneficiary details, and social insurance numbers.
The bank, Canada’s fifth-largest, chose to copy the files onto two identical disk drives because the volume of data was too large to transferred internally, the privacy commissioner said.
One of the two packages arrived fine. But the second packaged arrived empty -- and it may have been empty at the beginning of its journey, the privacy commissioner said.
But it is impossible to know for sure, because the bank did not trace whether or when the data copies were made, or by whom. The investigation also found the information being sent had not been encrypted.
“If CIBC had followed its policies and processes or had a technical means to determine whether the transfer to a second disk drive had actually taken place, quite possibly no further action would have been necessary,” Denham stated.
“Whether or not the personal information of more than 470,000 people was transferred to a disk drive should not be a mystery.”
CIBC now requires information to be encrypted if it travels outside the bank, and has taken remedial measures to fix “a number of other deficiencies” in its security policies and procedure, the privacy commissioner’s office said.
The office investigated previous breaches at CIBC, including episodes in 2004 when bank staff erroneously sent faxes containing customer information to a junkyard operator in West Virginia.
Reporting by Lynne Olver; editing by Rob Wilson