© The Canadian Press / Kevin FrayerA logo is seen outside Scotiabank headquarters in the financial disitrict in Toronto Tuesday, December 3, 2002.
Scotiabank says it will use digital locks on data discs after three CDs containing unencrypted information, such as customer social insurance and account numbers, were lost in its internal mail system.
The bank said a "small percentage" of customers are affected, but it is warning clients as a precaution so they can monitor accounts for any fraudulent activity.
The Bank of Nova Scotia (TSX:BNS) says the loss is a rare incident and believes its clients are not at risk because the CDs are lost internally. It said it has changed its processes so future CDs will be encrypted, which means data will be scrambled unless a user has the correct computer key to open it.
"Scotiabank has very strict processes and procedures in place to protect customer privacy and confidentiality. This is a responsibility we take very seriously," the bank said in a statement.
The information on the discs was not encrypted, and was set to be transferred to the Canada Revenue Agency as part of the bank's requirements to report the information.
The data included names, mailing addresses, social insurance numbers, account types, and numbers for registered accounts such as RRSPs, RESPs and RRIFs. It does not include savings or chequing account numbers, any account balances or employment information.
"It is clear that there was non-compliance with the bank's policy of encrypting portable storage devices that contain confidential personal information," the bank said.
"This appears to have been due to a belief that Canada Revenue Agency (CRA) would not accept encrypted files that, upon further examination, appears to be inaccurate."
The bank said it is the CRA that requires the information to be transferred by CD, and it is working with the industry to consider new technologies.
The bank said it is monitoring the affected customers' accounts and said it is harder to fraudulently take money out of registered accounts because they often require face-to-face interactions with staff.
Affected Scotiabank customer Michael Binetti, who lives in Toronto, said he is concerned someone might steal his identity and apply for fraudulent credit cards.
"I don't want to have to deal with the fallout of someone else getting credit in my name," Binetti said.
Tamir Israel, staff lawyer at the Canadian Internet Policy and Public Interest Clinic said that although data like social insurance numbers can be misused to sign up for fraudulent credit, there are several steps that need to happen before the sensitive information can be used maliciously.
If the discs are lost internally, the risk isn't as great, but since the bank isn't sure where the discs are, customers aren't completely out of the woods, Israel said.
"There's a lot of 'ifs' that have to line up but I think that's why identity theft happens so often - because people think there's still another five steps before this comes home to me," he said.
"If every person goes in with that attitude, people are more likelly to get dinged."
The Office of the Privacy Commissioner of Canada and Scotiabank suggest that those affected take precautions such as carefully checking over their financial statements, check their credit report for unauthorized accounts and shred personal financial statements.
Israel said that credit reporting agencies allow customers who have had their personal information leaked to put a flag on their reports.
Consumers are growing increasingly aware of privacy breaches after several multinational companies have been hit by hackers trying to expose weak security of private information.
Researchers have counted about a dozen breaches at Sony since the beginning of this year, including two particularly serious ones which exposed 100 millions users' personal details, including credit card numbers.
Passwords belonging to members of Georgia-based FBI affiliate Infragard were stolen and leaked to the Internet Monday, and videogame maker Nintendo was targeted in a recent online data attack, but said no personal or company information was lost.
Banks have not been immune to this kind of data breach in the past.
Between 2001 and 2004, CIBC inadvertently sent confidential customer information to outside businesses, including a West Virginia scrapyard and to another company in suburban Montreal.
The wayward transmissions came to light when the scrapyard owner said he had been overwhelmed by internal CIBC fund-transfer request forms which included client social security numbers, addresses, phone numbers and detailed account data.
Why should they need to take bank details off there mainframe and put them on a portable or external disk anyway the information shouldn't be used any place but the bank's computers
It sounds to me someone has transferred all these to an external disk or device to steal them or use them outside the banks network.