Scotiabank confirmed on Monday that three CDs containing unencrypted information, such as customer social insurance and account numbers, were lost in its internal mail system. The data included names, mailing addresses, social insurance numbers, account types, and numbers for registered accounts such as RRSPs, RESPs and RRIFs. It reportedly did not include savings or chequing account numbers, any account balances, or employment information.
The bank admitted that there was non-compliance with its policy of encrypting portable storage devices that contain confidential personal information. It said it has changed its processes so future CDs will be encrypted.
The Scotiabank incident comes on the heels of other notable privacy breaches involving major corporations. In April, Sony revealed that it had suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts.
Privacy breaches such as these should concern insurers, especially when companies (such as Sony) try to make first party claims. Or identity theft victims sue the companies over losses arising as a result of those breaches.