Another privacy breach at CIBC

"The freezing of Mr. Oudivikine's card was the result of his card being skimmed. It had nothing to do with the privacy issue," McLeod said.

The Toronto Star
May 21, 2005

Another privacy breach at CIBC
Ellen Roseman

Imagine this. You're facing an income tax audit and ask your bank for a list of your account transactions for a 20-month period.

You open the envelope you're given and find much more than you asked for. There are details of account activity for more than 100 other customers over the same period.

What do you do?

The customer in question called On Your Side and gave us the story.

But first, he called the Office of the Privacy Commissioner of Canada and handed over the personal information he'd received in error.

He also called the bank, CIBC, which was already under attack for sending unsolicited faxes with customers' personal information to a company in the United States and another in Quebec.

Andrei Oudivikine has been a CIBC customer for nine years, since he emigrated to Canada from Russia. He also worked for the bank for about a year in computer systems. He says he asked CIBC for his transactions late last year, but only got the envelope in February.

The bank says it took action as soon as it was notified of the privacy breach on Feb. 24, 2005.

"We immediately began contacting all the customers whose information had been attached in error to the document we gave Mr. Oudivikine," spokesman Rob McLeod told us. "We also contacted the Privacy Commissioner over this matter."

Social insurance numbers were not disclosed, he pointed out. (SINs make it easier for criminals to commit identity theft.) Customers were told they could change account numbers if they wanted.

"We determined that the risk of fraud was virtually non-existent based on the limited amount of information that was contained in these documents," McLeod added.

Oudivikine says the information he saw included details on customers' deposits and withdrawals, interest paid and average daily balances.

Since they were all clients at a CIBC branch near Bathurst St. and Steeles Ave., a neigbourhood popular with Russian immigrants, he recognized several names.

"We have been in very regular correspondence with Mr. Oudivikine by email since he first made us aware of this issue in February," McLeod says.

Last month, Oudivikine had another problem. He found an unauthorized withdrawal of $1,000 from his chequing account, leading to a temporary block on his convenience card.

"The freezing of Mr. Oudivikine's card was the result of his card being skimmed. It had nothing to do with the privacy issue," McLeod said.

Later, he was reimbursed for the unauthorized withdrawal and his card was unblocked.

We wondered how a customer who asked for his own account activity would get 35 pages worth of information about other customers' account activity.

"When these transaction journals are printed off at our processing centre, they can contain information about other accountholders," McLeod explained. "Prior to their being delivered to customers at the branch, the information that does not relate directly to the customer making the request is removed. Unfortunately, that did not happen in this case."

McLeod said "aggressive steps" are being taken to prevent this happening again:

  • Reports sent to the branches now have a large cover sheet attached, advising branch staff to review them before giving them to customers.
  • Information going directly to the customer from the processing centre is double-checked manually before it's mailed out.
  • A notice has been sent to CIBC front-line staff, telling them about the error in Oudivikine's case and the preventive measures being implemented.

"Longer-term, we're looking at a technology solution that permits us to print off only the requested transaction journals," McLeod said.

It seems CIBC is still working on systems to make employees aware of the sensitive nature of privacy issues.

"The bank's privacy practices were seriously tested by these incidents and they failed," the privacy commissioner said in a news release last month about the misdirected faxes.

The privacy breaches were "deeply disturbing," the privacy commissioner said, because they occurred over a number of years (2001 to 2004) and the bank was ineffective in trying to stop the problems.

Moreover, CIBC made no effort to advise customers about the disclosure of personal information until after the story became public last November and the privacy commissioner's investigation had been launched.

Ted Speevak, a customer whose information went astray, has started a class-action suit against CIBC in the case of the misdirected faxes. The statement of claim is available at

Brought to you by

Risks: Able to finance and sell negative cash flow franchise on crooked appraisals, Andrei Oudovikine, Appearance of government oversight, Arthur Wishart Act (Franchise Disclosure), 2000, Canada, Asset-based lending, Auditor General of Canada, Bad faith and unfair dealings, Bank Act, Canada, Bank violates federal privacy laws, Bank complaint process protects those who pay their salaries, Bank pays franchisor with franchisee's funds, Bank refuses to provide mandatory documents, Bank violates federal privacy laws, Bank won't finance deal because they know something you don't, Bankruptcy, Bankruptcy, first the company and then you personally, Banks, Banks allegedly mastermind fraud, Banks are industry cheerleaders, Banks collude, Blocking for the industry, Canada Revenue Agency, Canada Small Business Financing Act, Canada Small Business Financing program, Canadian Alliance of Franchise Operators, CAFO, Canadian Franchise Association, CFA, Canadian Imperial Bank of Commerce, CIBC, Code of ethics, a joke, Code of ethics, almost never enforced, Coerced waiver of legal rights, self, Collaborators, Complaint letter to franchisors trade association, Conspiracy to commit fraud, Conspiracy to hide the true nature of events in order to avoid detection, Controlling, trapping or defeating the franchisee, Credence good fraudulent expert, Credence goods: taking advantage of the innocents, Credibility, Criminal charges, Debt traps, Deceptive business practices, Earnings claim made, Externalities: cheap business decision when someone else pays, Financial Consumer Agency of Canada, Franchise banker, Franchise business model perfectly suited to enable massive fraud, Franchisee leader, Franchising is the most lucrative form of commercial lending, Franchising Opportunism paper, Franchisor financing: faster in, out & resold (serial bankrupts), Franchisor knew they were selling money losing concepts, FranWhack: a system that is not investment-worthy, Fraud, Fraud financed by rigged appraisals used equipment & leaseholds, Fraudster banker, Fraudster broker, Fraudster franchisor, Futility of taking legal action, Government guaranteed loan approved extremely quickly, Government guaranteed loan filled out by sales agent, Government guaranteed loan made without proper security, Government guaranteed loan misapplied, Government guaranteed loan program very attractive to fraud, Government guaranteed loans, Government guaranteed loans used a great deal in franchising, Government guaranteed loans: program loses $1, franchisee families lose $10, Government inquiries into franchise abuse allegations, Government investigation, Government inquiries into franchise abuse allegations, Ideas once outrageous are now considered normal, Illusion of government oversight, Imbalance of information and power, Immigrants as prey, Incompetent or predatory: for the small business investor, the outcome is the same, Industry Canada, Industry in disrepute, Industry elites like this regulator, Knew or could have reasonably been expected to know, Lender's due diligence not done properly, Lending duty, Lending duty never enforced via regulation or litigation, Lending is subject to expert fraud because it is a credence good service, Lending risk much lower, Les Stewart, Loan pushing, Loan servicers and brokers attracts fraud, Minister of Finance, Canada, Ministry of Government and Consumer Services, Ontario, Misrepresentations, Most lucrative form of commercial lending, franchising, Multi-tradename franchisors are often the most ruthless, Office of the Superintendent of Financial Institutions, Canada, Ombudsman for Banking Services and Investments, Canada, Ombudsman, franchisee must sign gag order 1st, Ombudsman, funded by franchisors & suppliers, Ombudsman, risk of information going to franchisor, Only saw bank official once before loan granted, Opportunism (self-interest with deceit), Police intervention, Predatory actions, Predatory franchise lending, Predatory lending, Privacy breaches a prerequisite for fraud, Privacy Commissioner of Canada, Refuses to accept complaint, Refuses to investigate complaints, Regulator already has enough power but they don't use it, Regulatory capture breeds its own incompetence, Reputation management, Retaliation, Right to associate, Right to associate and right to harass, Royal Canadian Mounted Police, RCMP, Sales agent shenanigans, Shame - humiliation emotion, Some of the nastiest predators run several tradename systems, Sunshine is the best disinfectant, Symbiotic relationships (industry, banks, lawyers), Taxpayers end up paying for private gain, Termination threats, The game is rigged, Threats of physical violence, Theft, Tony Martin, Towers of gold, feet of clay, Trap for the trusting, U.S. subprime mortgage scandal, Unauthorized funds transfer by bank, Undue influence, War of attrition, Watchdog fails to bark, Willful blindness, Write a letter of complaint, Canada, 20050521 Another privacy

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License