The Globe & Mail
Friday, March 13, 1998
pages B1,B4

CIBC posts client data in E-mail glitch

by Stephen Northfield

Nearly 500 Canadian Imperial Bank of Commerce clients got a painful reminder this week that the road to a world of electronic commerce is still marked by a few crater-sized potholes.

Late Wednesday, 492 clients of Investor's Edge, CIBC's discount brokerage arm, received an E-mail that was supposed to contain information about coming new stock issues. Instead, the message contained a list of the E-mail addresses of all 492 clients -- along with their account numbers. All of the clients had asked to be put on the mailing list.

Andrew Reed, a sales representative from Mississauga, was none too happy to see his particulars on the list.

"You're a billion-dollar company . . . I know mistakes happen, but how did my name and account number get associated with that?" Mr. Reed said. "I was really scared first of all -- we're not talking a couple of hundred bucks here", he added, referring to his account. "We're talking a little bit more than that."

Others were a bit more forgiving. "I would rather that it didn't happen, but I'm a programmer and I make mistakes, so it would be hard for me to get really upset about someone else's mistake", said Steve Canesso, a programmer at Cognos Inc. in Ottawa.

Investor's Edge president Don Rolfe said the glitch was caused by human error. "What happened is that instead of the message, the address list went out as the message . . . it was human error."

The problem was discovered "five minutes" after the messages were sent out late Wednesday afternoon, and bank staff began calling the affected clients immediately, he said. Nearly all had been contacted by late yesterday afternoon. Passwords and account numbers will be changed.

The E-mail address and account number together aren't enough to access the accounts either through the Internet or over the phone, Mr. Rolfe said. "There's been no financial impact and no incidence of somebody trying to access somebody else's account."

The bank contracts out the task of sending the batch E-mails to an outside firm, Xpedite Systems Inc. of Eatontown, N.J.

Mr. Rolfe said that there was no reason that the clients' account numbers should have been included with the E-mail addresses that were provided to Xpedite. "My opinion is that there was no need for the account number [to be] on there and it will not be on there going forward."

Mr. Rolfe said the blame rests squarely with the bank.

"We're supposed to make sure that it's absolutely correct -- there's an additional check in there. So unfortunately, we are in a predicament that no matter what, it's a CIBC error and we take responsibility."

Though rare, incidents like these are doing nothing to shore up confidence in electronic commerce, which surveys show Canadians aren't comfortable with, experts said.

Rick Broadhead, co-author of Canadian Internet Handbook, said he has always believed that the biggest risk in electronic commerce is not the possibility of someone getting your credit card number and running up a tab, but in incidents like these where human error results in the accidental disclosure of confidential information.

"Another incident like this probably isn't going to happen for a couple more years, but it's bound to happen when you have human interaction with technology", Mr. Broadhead said.

But David Jones, an assistant professor of computer science at McMaster University in Hamilton, said that it's not appropriate to blame it all on people. "It just demonstrates that there is a flaw in [the bank's] process . . . they should have a system in place where it's not possible for one individual to make a mistake and compromise the privacy of 500 key clients."

Gil Blair, an accountant in Victoria, B.C., was one of the surprised recipients of Wednesday's E-mail. He sent out a message to everyone on the list, alerting them to the problem, and was inundated with phone calls on Thursday from anxious people. "It's a serious breach of security if somebody has my account number and my E-mail address", he said.

Mr. Reed isn't peeved enough to shut down his account at Investor's Edge. But, after the information leak this week, he may just go back to doing things the old-fashioned way for a bit.

"I may just let it sit for a bit and not be active on it. It's handy -- there's no question about that. But I think I'll use the phone lines for the next couple of months until they can sort the problems out."

Copyright © 1998 by The Globe & Mail. All Rights Reserved. Reprinted with permission.