Privacy Commissioner launches e-learning tool for retailers

This should have been done a few years ago ...

Yesterday, the Privacy Commissioner of Canada launched an online training tool for retailers to understand their obligations under PIPEDA. I haven't taken the course yet, but anything like this should be a good thing.

News Release: Privacy Commissioner launches e-learning tool for retailers (August 20, 2007) - Privacy Commissioner of Canada

Ottawa, August 20, 2007 – Retailers now have a free, do-it-yourself interactive tool to help them bring their privacy practices and policies in line with the law, the Privacy Commissioner of Canada, Jennifer Stoddart, announced today.

“Small businesses often don’t have the money to hire privacy specialists or lawyers to help them figure out how to comply with Canada’s privacy legislation,” says Commissioner Stoddart. “Nor is it always necessary. Good privacy compliance doesn’t have to be expensive or time-consuming”.

The new e-learning tool created by the Office of the Privacy Commissioner of Canada (OPC) provides retailers with the information they need to set up their business to meet their obligations under Canada’s privacy laws and provide customers with the privacy protection they’re guaranteed under the Personal Information Protection and Electronic Documents Act (PIPEDA).

“Protecting customers’ information is an increasingly important part of running a business today and the online training is a valuable tool to help our members build solid privacy practices into their operations,” says Catherine Swift, President and CEO of the Canadian Federation of Independent Business (CFIB).

Derek Nighbor, Vice-President, National Affairs with the Retail Council of Canada (RCC) agrees. “With the proliferation of identity thieves and online fraudsters, members of the RCC who do not always have the time or the resources to learn about PIPEDA requirements will be pleased with the user-friendliness of this e-learning tool. Ultimately, their customers will find this a rewarding tool in the protection of their personal information” says Mr. Nighbor.

The OPC, in a joint initiative with the RCC, recently mailed privacy information kits to some 3,000 retailers in provinces where businesses are governed by PIPEDA. The kit includes a guide entitled Your Privacy Responsibilities: A Guide for Businesses and Organizations. (The kits will not go out to Retail Council members in the three provinces which have adopted their own private-sector privacy laws, B.C., Alberta and Quebec.)

“Some small businesses have been very proactive in developing good privacy practices, while many others still have a ways to go,” Ms. Stoddart says.

“Protecting customers’ personal information is the law, and it’s also good for a company’s reputation and bottom line,” the Commissioner adds, noting that research has shown it costs far less to adequately protect personal information in the first place than to clean up after a data breach.

The online retailer training session takes only about 30 minutes to complete. At the end, retailers will have: an information audit of their business; consent provisions required specifically for their business; a security plan; a sample privacy brochure for customers; and a training needs assessment. The interactive training is available online at http://www.privcom.gc.ca/privacy_comm/0001_home_e.asp.

New information for other types of small businesses is also available on the OPC’s web site.

Companies – large and small – in all but three provinces are subject to PIPEDA. The law imposes obligations on how those businesses must handle personal information such as names and addresses.The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

WSJ sheds light on TJX breach methods

David Canton has just posted a link to a very interesting and insightful article on the TJX/Winners breach, which sheds light on how the scammers were able to penetrate the TJX system to take approximately TWO HUNDRED MILLION credit card numbers.

How Credit-Card Data Went Out Wireless Door - WSJ.com

... When wireless data networks exploded in popularity starting around 2000, the data was largely shielded by a flawed encoding system called Wired Equivalent Privacy, or WEP, that was quickly pierced. The danger became evident as soon as 2001, when security experts issued warnings that they were able to crack the encryption systems of several major retailers.

By 2003, the wireless industry was offering a more secure system called Wi-Fi Protected Access or WPA, with more complex encryption. Many merchants beefed up their security, but others including TJX were slower to make the change. An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought. The company declined to comment on its security measures.

The hackers in Minnesota took advantage starting in July 2005. Though their identities aren't known, their operation has the hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups that also are suspected in at least two other U.S. cases over the past two years, security experts say. Investigators say these gangs are known for scoping out the least secure targets and being methodical in their intrusions, in contrast with hacker groups known in the trade as "Bonnie and Clydes" who often enter and exit quickly and clumsily, sometimes strewing clues behind them.

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. "It was as easy as breaking into a house through a side window that was wide open," according to one person familiar with TJX's internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.

After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say....

Alberta order on consent and withdrawal thereof

A new and interesting Order from Alberta:

Order P2007-003

Two Complainants brought complaints under the Personal Information Protection Act with respect to the collection, use and disclosure of their personal information by International Stereo Ltd., (now operating as Urban Audio Video Inc.) (the “Retailer”). The information had been collected by the Retailer and then conveyed to Wells Fargo Financial Corporation of Canada, so as to permit the latter organization to conduct credit checks for determining whether it would grant credit for buying the Retailer’s merchandise. Although the Complainants signed applications containing clauses consenting to use of personal information for credit checks, they said they had been assured their personal information would not be used in this way. They also said they had been led to believe the cards for which they applied would allow them to get 10% discounts on purchases. As well, one of them complained that his request to withdraw his application had been refused.

The Adjudicator found that the Retailer collected, used and disclosed the Complainants’ personal information in violation of section 7 of the Act (collection, use and disclosure without consent), that it failed to provide adequate notification of the purpose for collection in contravention of section 13, and that it failed to cease collecting, using or disclosing the personal information after consent had been withdrawn, in violation of section 9(4).

2007 "worst year ever" for data breaches

Looking back, 2007 has been the worst year ever for privacy breaches. This may only be the case because of mandatory breach reporting in many US jurisdictions, but the numbers are pretty staggering. See: Personal data theft reaches all-time high Chron.com - Houston Chronicle, which includes:

Major 2007 breaches

Some major data breaches disclosed in 2007:

• Discount retailer TJX Cos. reports hackers broke into its computer systems and accessed at least 46 million customer records, primarily credit card data. Banks later sue TJX and estimate the breach involved at least 94 million records.
  
• Britain's tax and customs department loses two computer disks containing personal information such as addresses and bank account numbers for about 25 million people. The disks were sent via internal government mail to the government's audit agency, but never arrived.
  
• Dai Nippon Printing Co., a Japanese commercial printing company, says a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients.
  
• A check-authorizing subsidiary of Fidelity National Information Services says information on 8.5 million consumers was stolen, allegedly by a former employee.
  
• Online brokerage TD Ameritrade Holding Corp. said one of its databases was hacked and contact information for its more than 6.3 million customers was stolen.
  
• The online job site Monster Worldwide Inc. discovered that con artists had grabbed contact information from resumes of 1.3 million people.

Source: Associated Press research

Big Brother is watching, but he doesn't seem to care

I was interviewed some time ago for a feature article in the Toronto Star on privacy issues associated with loyalty cards. These products are very popular in Canada, with Air Miles and Shopper's Drug Mart's Optimum card leading the way. Many of these programs have the potential to collect a vast amount of shopping data, but most of the companies interviewed by Paul Brent didn't really seem to care about collecting the sort of detailed individual data that most assume is being collected.

TheStar.com - Travel - Big Brother is watching, but he doesn't seem to care

If you've ever hesitated when handing over that loyalty card at the liquor store or the pharmacy wondering, "just who is looking at what I'm buying?" you might take some comfort in the answer: Likely nobody.

In theory, marketers have the power to drill down into the digital minefield of a consumer's spending and determine their buying preferences for everything from their favourite wine to their brand of shampoo.

However, the reality is that retailers and service companies are too busy to care what we do, except in large numbers.

"It is not as if you are getting mail from a glasswares manufacturer saying: `We notice that you drink a lot of beer,'" says Ed Strapagiel, executive vice-president of Kubas Consultants. "For the most part, retailers have not over-exploited this data. The power is there to use, but they haven't really gone after it."

The reluctance of merchants to dig deeper into the consumer treasure trove of information makes some sense, however, he adds. "Many of these retailers that we are talking about – Loblaws, Canadian Tire, Shoppers Drug Mart ... they are not direct marketers. If the whole basis of your business is driving business to your store, you are not going to use direct marketing."

Consumers, for their part, realize they are giving up some of their privacy but appear willing to pay that price for the benefits that come from loyalty programs.

"It's actually never bothered me," says Tracy, waiting outside a Shoppers Drug Mart with her dog while her husband shops inside. She has been a devoted Air Miles collector for a decade and flew her mother from Sault Ste. Marie to Toronto on points.

A buyer for a local theatre company, she regularly uses the Internet for private and work purchases, and says she keeps a "close eye" on her credit cards and bank accounts electronically. Her husband agrees the benefits of collecting reward miles outweigh any privacy fears – "even though they are probably tracking our every move," he jokes.

But consumers should be aware they are entering into an agreement with loyalty companies when they take a membership card. The price for those "free" perks, such as travel rewards or discounts on purchases, is that you agree to allow marketers to take an electronic peek into your shopping basket.

"There are a whole bunch of programs where people choose to give up some privacy for convenience," says David Fraser, a privacy lawyer with the Halifax firm of McInnes Cooper.

"It doesn't bother me," says Zan Harriott, who had just purchased a greeting card and lottery tickets at Shoppers and swiped her Optimum points card.

A member of the loyalty program since it started, she says she regularly collects rewards from the card.

Launched in 2000, the Optimum program has 8.2 million members, making it one of the country's largest.

Fraser has not heard of any Canadian marketers abusing the data they obtain from loyalty programs. "In my experience, the companies that run loyalty programs are really quite diligent about privacy issues."

When it comes to privacy and loyalty programs, many consumers are surprised that information is being collected for marketing purposes, while others expect someone in a nameless data centre is noting every last tube of toothpaste.

The reality is somewhere in the middle.

Fraser notes that Air Miles was the subject of a consumer complaint a few years ago, but the federal Privacy Commissioner found the marketer was not amassing the detailed shopping information "a lot of people would have expected them to be collecting."

That fear of just how much information is being gathered acts as a brake on the expansion of loyalty plans. "If you don't tell customers what is going on, they assume the worst," Fraser says.

As the country's biggest loyalty marketer, reaching two-thirds of Canadian households (there are 9 million "collector" households), Air Miles is sensitive to the issue of privacy.

"Not just for us but across the Canadian marketplace, privacy is a pretty significant public policy issue," says Mitchell Merowitz, vice-president of corporate affairs and chief privacy officer for the Air Miles reward program.

The fact that Air Miles has been the most popular loyalty program in the country since 2001 shows that most Canadians are not too worried about leaving a digital record of their purchasing habits.

Information collected by Air Miles is gathered on a household basis and is not product-specific. A successful swipe of the card tells the company the date, value and store a purchase was made.

"The information that you see on your summary statement is the information that we collect," Merowitz says.

Related stuff: Canadian Privacy Law Blog: Air Miles should be about data mining, not mass appeal, Canadian Privacy Law Blog: Article: Loyalty cards plus legwork can track beef buying, and the finding of the Privacy Commissioner of Canada referred to is on the PIAC website at http://www.piac.ca/privacy/loyalty_management_group_canada_inc/.

Privacy commissioner raps home improvement retailer for collecting drivers licenses on product returns

The Information and Privacy Commissioner of Alberta has ruled that Home Depot violated the Personal Information Protection Act (Alberta) when it collected and recorded a customer drivers license information in connection with a product return. The company's policy was that returns for purchases that were made with a debit card, even with a receipt, are treated as a "no receipt" return and the information is collected. The Commissioner noted that the information would be placed in a database maintained by the American parent company in the United States, which is a disclosure of personal information.

The article on Canada.com quotes a Home Depot spokesperson who says this is no longer the policy as customers thought it to be an invasion of privacy. See: Privacy commissioner raps Home Depot.

T.J. Maxx probe finds broader hacking

This isn't good:

T.J. Maxx probe finds broader hacking | Tech News on ZDNet

The TJX Companies, the discount retailer best known for its T.J. Maxx and Marshalls clothing stores, said Wednesday that its hacking investigation has uncovered more extensive exposure of credit and debit card data than it previously believed.

Information on millions of TJX customers may have been exposed in the long-running attack, which was made public last month. It affects customers of any of TJX store in the U.S., Canada or Puerto Rico, with the exception of its Bob's Stores chain.

The breach of credit and debit card data was initially thought to have lasted from May 2006 to January. However, TJX said Wednesday that it now believes those computer systems were first compromised in July 2005.

TJX said credit and debit card data from January 2003 through June 2004 was compromised. The company previously said that only 2003 data may have been accessed. According to TJX, however, some of the card information from September 2003 through June 2004 was masked at the time of the transactions.

The company added that names and addresses apparently were not included with the card information, that debit card PIN numbers are not believed to have been vulnerable, and that data from transactions made with debit cards issued by Canadian banks likely were not vulnerable.

TJX also found that there was evidence of intrusion into the system that handles customer transactions for its T.K. Maxx stores in the United Kingdom and Ireland, but that there has been no confirmation that anyone actually accessed that data.

In addition to these exposures, TJX said there were more breaches of driver's license information than it previously thought. These included the license numbers, names and addresses of customers making merchandise returns in the U.S. and Puerto Rico locations of T.J. Maxx, Marshalls and HomeGoods stores. That compromised data, according to TJX, is restricted to returns without receipts that took place in the last four months of 2003, as well as in May 2004 and June 2004.

TJX plans to notify customers whose driver's license data may have been accessed.

The company, which is continuing its investigation, encourages customers to check their credit-card and bank-account records and look for further updates on its website.

Consumer response and responsibility

Dissent, at the Chronicles of Dissent (part of Pogowasright) asks whether consumer stupidity plays a role in privacy breaches and the response. Dissent points to an article from my local newspaper, the Chronicle Herald, quoted below.

I can't say that Canadians are more prudent or insistent about their privacy than our cousins below the border, or more stupid. In my experience on the east coast of Canada, most folks around here are much more trusting of the companies they do business with. The cynicism from down south hasn't quite permeated this neck of the woods. One thing we generally are more tolerant of is government regulation, such as that governing privacy.

We have not yet seen any provinces or the federal government come up with mandatory breach notification, with the narrow exception contained in Ontario's health privacy law. In that regard, we are lagging behind most of the states in the US.

Winners reassures Canadians

Security breach did not involve cards issued north of border, says retailer

By AMANDA-MARIE QUINTINO The Canadian Press

TORONTO — Assurances from Winners and HomeSense that a security breach reported last month did not involve Canadian debit-card transactions isn’t making much of dent with customers of the two retail chains.

Not much can keep them from their bargain hunting.

The deals to be found at Winners makes the risk of becoming the victim of credit card fraud worthwhile, said Sherry Croney as she slowly sifted through the blouse racks at one of the chain’s cavernous stores in downtown Toronto.

Croney said she never uses her credit card when clothes shopping, and even if she did, a security breach wouldn’t stop her.

...

"Our computer security experts have now completed their investigation of the portion of our computer network that handles Winners and HomeSense transactions, and they have advised us that they do not believe that debit cards issued by Canadian banks were compromised in the intrusion," said a TJX statement posted on the Winners website.

I note there is only a reference to Canadian debit cards.... nothing said about credit cards.

Data Privacy Bill Expected to Target Retailers, Banks

According to the Washington Post, the new chairman of the House Financial Services Committee will be pushing hard for a national privacy/data breach law:

Data Privacy Bill Expected to Target Retailers, Banks - washingtonpost.com

Data Privacy Bill Expected to Target Retailers, Banks

By Brian Krebs

washingtonpost.com Staff Writer

Friday, February 2, 2007; Page D03

Data privacy is likely to be among the hottest technology issues to face Congress this year, in part due to interest from the new chairman of the House Financial Services Committee.

Panel Chairman Barney Frank (D-Mass.) said he plans to craft a bill that would exempt companies from disclosing data breaches, provided they secure the data with encryption software or other technology that would render it virtually unreadable if it fell into the wrong hands....

Inadequate security safeguards led to TJX breach, Commissioners say

The federal Privacy Commissioner and the Information and Privacy Commissioner of Canada have released their reports on the TJX/Winners breach (Report of Findings (September 25, 2007) Privacy Commissioner of Canada and Investigation Report P2007-IR-006). The moral of the story: don't collect information you don't need, don't keep it any longer than you need and properly secure the information you have.

Here's the media release:

News Release: Inadequate security safeguards led to TJX breach, Commissioners say (September 25, 2007) - Privacy Commissioner of Canada

Inadequate security safeguards led to TJX breach, Commissioners say

September 25, 2007 –The risk of a breach of sensitive personal information held by TJX Companies Inc., the US parent company of Winners and HomeSense stores in Canada, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.

“Criminal groups actively target credit card numbers and other personal information,” says Commissioner Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

The joint investigation by the two Commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts.

“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.

“One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer’s need to take steps to prevent fraud.”

TJX believes the intruder may have initially gained to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.

Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers’ license numbers, names and addresses).

The investigation concluded TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation found:

• TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
  
• The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
  
• TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  
• The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely.

In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.

The Commissioners called on TJX to take a number of steps to improve its security measures and privacy practices and are pleased the company has agreed to follow these recommendations.

Commissioner Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. “Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” she says, adding that a data breach can also have a major impact on credit card companies, banks, law enforcement agencies and regulatory bodies.

A summary of the findings in the case is available on the Commissioners’ websites.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

The Information and Privacy Commissioner of Alberta has a mandate to promote a society where personal privacy is respected and public bodies are open and accountable.

Winners security breach hits home

The Globe & Mail is reporting that significant fraud has been linked to the Winners information breach:

globeandmail.com: Winners security breach hits home

Thousands of Canadian credit-card holders have been victimized by fraud after a security meltdown at the U.S. parent company of retail chains Winners and HomeSense, according to sources in the financial community.

They suggested that number could rise as banks and other credit-card issuers continue to gather information on what has become one of the most high-profile privacy thefts in recent memory.

“We have seen fraud on some of those accounts that we can directly link back to [the breach],” said an official with one card issuer, who cautioned his company is still determining how many of its clients could be left vulnerable by the hacking incident. He added that issuers are directly contacting any customers whose cards appear to have been used fraudulently.

Incidents: Rash of info breaches with Canadian connections

This has been a crazy week for privacy breaches in Canada and the week isn't over yet. I can't recall the last time I had so many media inquiries.

In addition to those below, I've been asked about two other incidents that will likely break in the next few days. (Since I heard about them from journalists, it would be rude to scoop them on the blog.)

Today we've heard of a significant announcement made by Talvest Mutual Funds

Talvest Mutual Funds issues statement regarding missing back up computer file

MONTREAL, Jan. 18 /CNW/ - Talvest Mutual Funds today announced that a
backup computer file containing client information has recently gone missing
while in transit between its offices.

The backup file contained information relating to the process used to
open and administer approximately 470,000 current and former Talvest client
accounts and may have included client names, addresses, signatures, date of
birth, bank account numbers, beneficiary information and / or Social Insurance
Numbers. Talvest has retained original copies of their files on its secure
website.

While Talvest has no evidence to suggest this backup file has been
inappropriately accessed, the manager of Talvest Mutual Funds, CIBC Asset
Management, has taken precautionary measures to protect its clients. These
actions include:

• Notifying all affected clients by letter.
  
• Compensating any affected Talvest clients for monetary loss that
  arises directly from unauthorized access of personal information
  contained on this file.
  
• Providing affected Talvest clients the opportunity to enrol in a
  credit monitoring service at no cost. This service will provide added
  security on client credit files at major Credit Reporting agencies.
  
• Establishing a dedicated call centre and website to deal with any
  affected Talvest client inquiries.
  
• Advising affected Talvest clients to regularly review activity on all
  their financial accounts and report any unauthorized activity
  immediately to their financial institution.
  
• Working with the police to investigate this incident and retrieve
  this backup file.

"We are in the process of contacting affected Talvest clients by letter
to advise them of this issue and to detail the steps we are taking to
safeguard their information," said Steve Geist, President of CIBC Asset
Management. "Although, we have no evidence that the information contained in
the backup file has been accessed in any way, we are acting out of an
abundance of caution and want to assure our clients that we are taking all
steps possible to address this matter. Any issue that causes disruption to our
clients is of great concern to us and we regret the inconvenience this may
cause our Talvest Mutual Fund Clients."

For more information on this matter, Talvest Mutual Fund clients are
advised to visit www.talvest.com.

And with a report from the CBC:

CIBC loses data on 470,000 Talvest fund customers

CIBC Asset Management says a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing.

The company says the missing data was in a file that disappeared "while in transit between our offices." The file had personal and financial details on current and former clients of Talvest Mutual Funds, which is a CIBC subsidiary.

The information may have included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information and/or Social Insurance Numbers.

Talvest says there's no indication that the missing backup file has been "inappropriately accessed," but says CIBC will be taking a number of precautions.

"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, president of CIBC Asset Management.

Computer fraud expert Thomas Keenan from the University of Calgary said there's good reason for the company to alert their customers. "Because what's on there [the missing file] is everything you need to know to do identity theft," he told CBC News.

The privacy commissioner of Canada, Jennifer Stoddart, announced that she is launching an investigation.

"Although I appreciate that the bank notified us of this incident and that it is working co-operatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians," Stoddart said in a statement.

Talvest has set up special phone lines for clients who want more information.

The report follows news of a potential corporate privacy breach that could affect as many as two million Visa credit card holders in Canada.

The owner of Winners and HomeSense stores warned Thursday that hackers gained access to its computer system and credit card numbers may have been improperly accessed.

Also, a breach involving TJX, the parent of TJ Maxx, Winners and Homesense, may have exposed the personal information of Canadian customers of that store:

globeandmail.com: Computer breach exposes TJX shoppers to fraud

SECURITY

Parent of Winners, HomeSense targeted

MARINA STRAUSS AND SINCLAIR STEWART

Tens of millions of credit card customers in Canada and the United States may have been exposed to fraud during a computer security breach at discount retailer TJX Cos., the U.S. parent of Winners and HomeSense.

TJX, which also owns T. J. Maxx and Marshalls, said yesterday it discovered the "unauthorized intrusion" in mid-December and has been working with police and security experts on both sides of the border to investigate the incident and tighten security procedures.

The retailer declined to say exactly how many customers are affected. But sources close to Visa said the company notified banks and other issuers last week that approximately 20 million of its cards around the world may have been involved. Some in the financial industry estimate the number in Canada could be as high as two million. It's not clear how many customers of other credit card companies have been left vulnerable.

The problem was tied to the computer systems that process and store information about customer transactions involving credit cards, debit cards, cheques and merchandise returns -- some of them going back to 2003. The Royal Canadian Mounted Police and the U.S. Secret Service have been called in to investigate.

"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the Framingham, Mass-based retailer said in a statement.

...

"I was stunned," said retail analyst John Chamberlain at Canadian Bond Rating Service. "That's not what you expect from a big retailer. You really expect that they would have stronger systems than that. You get to the point that you trust a retailer to keep that information."

Customers consider the shopping at TJX stores as a "treasure hunt," never quite sure what they'll find, he said. As a result, customers probably use plastic there more often because they don't always know how much they'll spend, he said.

Company officials didn't return calls. Their statement said the retailer kept the matter secret until yesterday at the request of law enforcement. The company said it promptly notified credit card companies and firms that process customer transactions.

An intruder grabbed information dealing with credit and debit cards sales in TJX stores during 2003 and part of 2006, according to the company. However, a source said that the debit transactions were confined to the U.S. market. TJX has been able to identify "a limited number" of credit card and debit card holders whose information was taken.

Canadian banks are scrambling to assess the potential damage. Tania Freedman, a Visa spokeswoman, said the company is forwarding information to banks. "These accounts were potentially exposed, [but] not all accounts that are exposed will experience fraud," she said, adding that customers are protected by the card's zero-liability policy.

...

In Canada, TJX runs 184 Winners and 68 HomeSense stores.

Expect much more info to come.....

Update (20070118): The Privacy Commissioner of Canada has inititated a complaint on her own accord related to the Talvest breach: Privacy Commissioner launches investigation of CIBC breach of Talvest customers' personal information.