TD Canada Trust informs customers of break-in
Technorati Tag: Security Breach
Date Reported:
7/30/08
Organization:
TD Bank Financial Group
Contractor/Consultant/Branch:
TD Canada Trust
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"names, addresses, birthdates, social insurance numbers, account numbers, bill payment details, transactions and balances"
Breach Description:
"TD Canada Trust officials waited three weeks this summer before telling customers their personal information might have been stolen from a Vancouver branch."
Reference URL:
The Vancouver Sun
Report Credit:
Bruce Constantineau, Vancouver Sun
Response:
From the online source cited above:
TD Canada Trust officials waited three weeks this summer before telling customers their personal information might have been stolen from a Vancouver branch.
[Evan] Taking three weeks to notify customers is not too bad considering what we read about in most breaches.
Bank representative Kelly Hechler confirmed Tuesday a piece of computer equipment stolen during a June 22 break-in at the 4597 West 10th Ave. branch contained confidential customer information.
[Evan] What is "a piece of computer equipment", specifically? A tape? A laptop? A server? A SAN? A flash drive? Your guess is as good as mine.
"We first had to identify which customers may have been impacted," Hechler said in an interview.
"That took a little bit of time and as soon as we identified them, we sent out letters and followed up with phone calls."
Hechler would not reveal how many customers were affected by the security breach, calling it a "relatively small number."
[Evan] Relative to what? So vague.
the stolen equipment may have contained names, addresses, birthdates, social insurance numbers, account numbers, bill payment details, transactions and balances
[Evan] I presume that the information was not encrypted.
Hechler said the bank takes the security breach "extremely seriously."
account numbers are being changed if necessary, free credit monitoring services have been offered to customers and certain accounts have been flagged to ensure bank staff remains alert to any suspicious account transactions
[Evan] These reactionary measures will probably help to protect the affected people from inept fraud attempts, but won't help much to protect against a fraudster with some intelligence. Exposed information is always exposed information. Changing account numbers will not protect against someone using the other information to commit fraud. Credit monitoring only alerts a victim after fraud has already occurred and the length of protection is usually limited to a year or two. Flagging an account will only protect against that particular account being used for fraud.
Personal identification numbers (PINs) and passwords were not contained in the stolen equipment.
Hechler said no incidents of fraud related to the stolen customer information have occurred so far.
[Evan] Correction. No incidents of fraud have been received.
"If a customer experiences a loss related to this, we will reimburse them," she said.
[Evan] Should a customer be reimbursed for their time too? Say $125/hour? Just a suggestion.
The bank has told the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for B.C. about the event.
Hechler said the theft of confidential customer information is a "very rare" event at the bank but wouldn't release details of the break-in because it is still under investigation.
She said an alarm went off and police attended the break-in but thieves got away with the equipment.
"Security of customer information is extremely important to us so we're constantly reviewing what we do to make sure we have as much security in place as possible," Hechler said.
[Evan] I don't doubt that TD Canada Trust wants to do the "right thing", but I sometimes question the way some organizations go about doing the "right thing".
Commentary:
For all we know TD Canada Trust does all they can be expected to do in order to protect confidential information. Then again, experience may tell us otherwise. There is not much information to go on here.
Past Breaches:
TD Ameritrade:
September, 2007 - TD Ameritrade Finds Breach During SPAM Investigation
Date Reported:7/30/08
Organization:
TD Bank Financial Group
Contractor/Consultant/Branch:
TD Canada Trust
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"names, addresses, birthdates, social insurance numbers, account numbers, bill payment details, transactions and balances"
Breach Description:
"TD Canada Trust officials waited three weeks this summer before telling customers their personal information might have been stolen from a Vancouver branch."
Reference URL:
The Vancouver Sun
Report Credit:
Bruce Constantineau, Vancouver Sun
Response:
From the online source cited above:
TD Canada Trust officials waited three weeks this summer before telling customers their personal information might have been stolen from a Vancouver branch.
[Evan] Taking three weeks to notify customers is not too bad considering what we read about in most breaches.
Bank representative Kelly Hechler confirmed Tuesday a piece of computer equipment stolen during a June 22 break-in at the 4597 West 10th Ave. branch contained confidential customer information.
[Evan] What is "a piece of computer equipment", specifically? A tape? A laptop? A server? A SAN? A flash drive? Your guess is as good as mine.
"We first had to identify which customers may have been impacted," Hechler said in an interview.
"That took a little bit of time and as soon as we identified them, we sent out letters and followed up with phone calls."
Hechler would not reveal how many customers were affected by the security breach, calling it a "relatively small number."
[Evan] Relative to what? So vague.
the stolen equipment may have contained names, addresses, birthdates, social insurance numbers, account numbers, bill payment details, transactions and balances
[Evan] I presume that the information was not encrypted.
Hechler said the bank takes the security breach "extremely seriously."
account numbers are being changed if necessary, free credit monitoring services have been offered to customers and certain accounts have been flagged to ensure bank staff remains alert to any suspicious account transactions
[Evan] These reactionary measures will probably help to protect the affected people from inept fraud attempts, but won't help much to protect against a fraudster with some intelligence. Exposed information is always exposed information. Changing account numbers will not protect against someone using the other information to commit fraud. Credit monitoring only alerts a victim after fraud has already occurred and the length of protection is usually limited to a year or two. Flagging an account will only protect against that particular account being used for fraud.
Personal identification numbers (PINs) and passwords were not contained in the stolen equipment.
Hechler said no incidents of fraud related to the stolen customer information have occurred so far.
[Evan] Correction. No incidents of fraud have been received.
"If a customer experiences a loss related to this, we will reimburse them," she said.
[Evan] Should a customer be reimbursed for their time too? Say $125/hour? Just a suggestion.
The bank has told the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for B.C. about the event.
Hechler said the theft of confidential customer information is a "very rare" event at the bank but wouldn't release details of the break-in because it is still under investigation.
She said an alarm went off and police attended the break-in but thieves got away with the equipment.
"Security of customer information is extremely important to us so we're constantly reviewing what we do to make sure we have as much security in place as possible," Hechler said.
[Evan] I don't doubt that TD Canada Trust wants to do the "right thing", but I sometimes question the way some organizations go about doing the "right thing".
Commentary:
For all we know TD Canada Trust does all they can be expected to do in order to protect confidential information. Then again, experience may tell us otherwise. There is not much information to go on here.
Past Breaches:
TD Ameritrade:
September, 2007 - TD Ameritrade Finds Breach During SPAM Investigation
Posted by Evan Francen at 8/4/2008 11:17 AM 
Categories: Stolen Device, TD Bank Financial Group, TD Canada Trust
Categories: Stolen Device, TD Bank Financial Group, TD Canada Trust
Posts Atom 1.0
Comments