Peoples Trust Company hacked; Bank arranges for credit alert flags on customers’ accounts for 6 years

Someone kindly alerted me to a breach involving Peoples Trust Company in Canada.  Here is the text of a notification letter they sent out, as provided by one of the recipients (hence, DataBreaches.net can assure its complete authenticity/accuracy):

October 25th, 2013

RE: Important Notice Regarding Your Personal Information

Dear First Name Last Name,

As is common with most Financial Institutions, and indeed most successful companies, Peoples Trust is constantly on guard against undesirable third parties gaining access to our systems and data, and is repeatedly required to repel unwanted incursions. Over the past 25 years we have successfully fended off all attempts to compromise our systems. However during the past week of October 7th, we became suspicious of a few events that might indicate a possible intrusion into a database on our website. This database was totally separate from our banking systems so no banking information, such as balances, account numbers, logins or passwords could be obtained. As a precautionary measure, we immediately removed all data from this area and enhanced identification procedures and daily processes in our Deposit Services area to monitor for unusual activity pending a full investigation. To date we have seen no suspicious activity.

We retained a forensic investigator to identify the nature of the problem, extent and source of a potential data compromise. On October 11, 2013, the forensic investigator confirmed that a database used to collect on-line application information on our website was compromised by unauthorized access originating in the Peoples Republic of China. None of our banking systems were infected.

The personal information that may have been accessed on this database includes customer name, address, telephone number, email address, date of birth and social insurance number. We can confirm with confidence that your financial information, account data and password information have not been compromised in any way. However this incident may still place some customers at risk for identity theft. We have informed the Police and Canada’s Privacy Commissioner, as well as the two major Canadian Credit bureau service providers. To mitigate the risk, Peoples Trust has arranged for a flag to be placed on your credit file which will alert companies accessing your credit information that your data may have been compromised and that lenders should take additional steps to verify your identity before transacting further. The notation will stay on your credit file for a period of 6 years unless you choose to have it removed.

It is not possible to verify the extent of access – or the amount of customer data that could possibly have been compromised – and we are hopeful the impact will be minimal, given the responses we’ve received from our customers to date (which has been limited to the receipt of a text message requesting a call to an inactive number).

Nothing is more important to Peoples Trust than the security of our customers’ personal information. In addition to the steps we have taken, we would like to recommend the following to protect yourself from risk of identity theft or fraud:

– If you receive emails or text messages in the days ahead purporting to be from Peoples Trust asking for account or any other information, please consider that email or text to be fraudulent, and contact us immediately at 1-855-286-8505. Peoples Trust does not solicit account information from customers by email or text.

– Never respond to any unsolicited requests for your banking or personal information.

– As a precautionary measure, we recommend you monitor your accounts for any unusual activity and report any irregularities to to Peoples Trust immediately at 1-855-286-8505.

– You obtain a free copy of your credit file which may be done by calling the following services: Equifax Canada (1-800-465-7166) or TransUnion Canada (1-800-663-9980) and requesting a printed copy be delivered to you by mail. You may also obtain further information on removing the alert by visiting their websites: http://www.equifax.ca or http://www.transunion.ca

If you have any questions about this incident, how it may affect you and the steps Peoples Trust is taking to protect you and your personal information, please call our special information line at1-855-286-8505. You can also contact Peoples Trust’s Privacy Officer:

Darren Kozol, Privacy Officer
14th Floor, 888 Dunsmuir St
Vancouver, BC
V6C 3K4
PH: 604-331-2238
@: [email protected]

Unfortunately, unauthorized privacy incursions are becoming more and more common all over the world. Peoples Trust will continue to take steps to safeguard your information with us. Moe information on personal information security and protecting yourself against identity theft is available from the Office of the Privacy Commissioner at http://www.priv.gc.ca . You should note that they provide a fact sheet on their website entitled “Identity Theft: What it is and what you can do about it” which may be of assistance to you in the present circumstances.

Peoples Trust deeply regrets that this occurred and is doing everything in our means to prevent an incident like this from happening again. Thank you for your understanding, and do not hesitate to call us if you have any questions or concerns.

Yours Sincerely,
Bill Moffatt
Chief Operations Officer
Peoples Trust Company

There is a lengthy discussion of the breach and the placement of the flags by customers here.

About the author: Dissent