Peoples Trust Privacy Breach

Banking and Saving strategies, maximizing interest rates, budgeting, GICs, HISAs.
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Re: Peoples Trust Privacy Breach

Post by Bylo Selhi »

like_to_retire wrote:It kind of bugs me that most companies now want your userID to be your email address.
Because people are less likely to forget their e-mail address than some username they concocted just for that site. That's important because, when they forget their password, they'll be able to use that e-mail address to recover/reset it.

If you don't want to use your primary e-mail address for site registrations, especially on sites that might be dodgy or that might expose you to spam, then create a special e-mail address just for this purpose. For instance create like_to_retire_siteregs@gmail.com just for this purpose. (Avoid using so-called "throwaway" or "disposable" addresses because if you forget a site password you won't be able to recover it.)
Sedulously eschew obfuscatory hyperverbosity and prolixity.
ig17
Veteran Contributor
Veteran Contributor
Posts: 3418
Joined: 21 Feb 2005 20:54

Re: Peoples Trust Privacy Breach

Post by ig17 »

I can't login into PT system. My account is locked.
Your account has been locked out as the information you have provided does not match our records. Please contact us.
I wonder why they locked it. Have they noticed any suspicious activity on the account?

They are not open on the weekends. Will call them on Monday.
User avatar
AltaRed
Veteran Contributor
Veteran Contributor
Posts: 33398
Joined: 05 Mar 2005 20:04
Location: Ogopogo Land

Re: Peoples Trust Privacy Breach

Post by AltaRed »

Perhaps incorrect login information? I can login to my PT account.
Imagefiniki, the Canadian financial wiki The go-to place to bolster your financial freedom
ig17
Veteran Contributor
Veteran Contributor
Posts: 3418
Joined: 21 Feb 2005 20:54

Re: Peoples Trust Privacy Breach

Post by ig17 »

No, that's not it. I have the right account number. It worked a week or two ago, the last time I logged in.

My wife's account # works fine.
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Re: Peoples Trust Privacy Breach

Post by Bylo Selhi »

ig17 wrote:No, that's not it. I have the right account number. It worked a week or two ago, the last time I logged in.
1. A hacker tried to login several times to your account unsuccessfully.
2. A legitimate user mistyped their account number, actually typed yours, and tried repeatedly to login to your account using their account's password.
In either case when they reached a threshold number of failed login attempts the system locked them (and thus you) out.
Sedulously eschew obfuscatory hyperverbosity and prolixity.
ig17
Veteran Contributor
Veteran Contributor
Posts: 3418
Joined: 21 Feb 2005 20:54

Re: Peoples Trust Privacy Breach

Post by ig17 »

Yeah but, that's not what the error message says:

"Your account has been locked out as the information you have provided does not match our records."

I wonder if they've been doing security sweeps and have found some discrepancies. I'll get the answer on Monday.
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Re: Peoples Trust Privacy Breach

Post by Bylo Selhi »

ig17 wrote:Yeah but, that's not what the error message says: "Your account has been locked out as the information you have provided does not match our records."
Actually that's consistent with an account/password mismatch and typical of the sort of vague message you'd get in that circumstance from other financial institutions, e.g.
An invalid password at TD results in "You have entered invalid login information."
At RBC it results in, "Your response does not match our records."
At BNS it's, "Either the ScotiaCard number or the password you entered is invalid."

The geniuses who pump out these messages don't want to tell you explicitly what datum doesn't match their records lest that serve as a clue to the hacker.
Sedulously eschew obfuscatory hyperverbosity and prolixity.
good4u
Contributor
Contributor
Posts: 248
Joined: 01 Oct 2012 17:10

Re: Peoples Trust Privacy Breach

Post by good4u »

ig17 wrote:Yeah but, that's not what the error message says:

"Your account has been locked out as the information you have provided does not match our records."

I wonder if they've been doing security sweeps and have found some discrepancies. I'll get the answer on Monday.
Although these types of messages can be a real pain, I think it is a good thing or at least better than the alternative of someone being able to try unlimited attempts of hacking into another person's account. I think these types of errors flush out hackers from legitimate users as hackers or fraudsters are unlikely to call PT to have this investigated for fear of getting caught whereas a legitimate user will be definitely call in to get this sorted out. It's just unfortunate that PT does not have support 24/7 like the big banks which means if something doesn't work you have to wait until the next time they're open.
ig17
Veteran Contributor
Veteran Contributor
Posts: 3418
Joined: 21 Feb 2005 20:54

Re: Peoples Trust Privacy Breach

Post by ig17 »

PT unlocked my account, but they couldn't explain why it got locked. They didn't see any red flags on the account, such as pin misuse or failed security questions. I didn't escalate the issue but maybe I should have done so to get a full explanation. :roll:
User avatar
parvus
Veteran Contributor
Veteran Contributor
Posts: 10014
Joined: 20 Feb 2005 16:09
Location: Waiting for the real estate meltdown on Rua Açores.

Re: Peoples Trust Privacy Breach

Post by parvus »

Slighty off-topic, but Air Miles locked my account over the weekend, for security reasons. Don't have a clue why -- except that I don't login much -- but got access restored today.
Wovon man nicht sprechen kann, darüber muß man schweigen — a wit
Imagefiniki, the Canadian financial wiki Your go-to guide for financial basics
Image
jeremy
Contributor
Contributor
Posts: 421
Joined: 18 Nov 2010 13:53

Re: Peoples Trust Privacy Breach

Post by jeremy »

adrian2 wrote:
jeremy wrote:I moved my money out of PT because they are too disorganized to notify me that my information has been compromised. They have my current address and have sent mail here, but I have not received the letter. If it wasn't for online forums and checking my credit reports, I wouldn't have known about the breach or that I was affected.
Maybe your info was not compromised, and that's the reason you did not get the letter?
I confirmed with Peoples that I was compromised, and that they sent the letter to my old address. Something about it being too much work to validate the addresses in the compromised database with the current addresses in the customer database. Seems a bit deceptive to tell people something like "only a small percentage of clients were affected, and they were sent the letter" when they couldn't be bothered to send the letter to customers' current addresses.
good4u
Contributor
Contributor
Posts: 248
Joined: 01 Oct 2012 17:10

Re: Peoples Trust Privacy Breach

Post by good4u »

jeremy wrote:
adrian2 wrote:
jeremy wrote:I moved my money out of PT because they are too disorganized to notify me that my information has been compromised. They have my current address and have sent mail here, but I have not received the letter. If it wasn't for online forums and checking my credit reports, I wouldn't have known about the breach or that I was affected.
Maybe your info was not compromised, and that's the reason you did not get the letter?
I confirmed with Peoples that I was compromised, and that they sent the letter to my old address. Something about it being too much work to validate the addresses in the compromised database with the current addresses in the customer database. Seems a bit deceptive to tell people something like "only a small percentage of clients were affected, and they were sent the letter" when they couldn't be bothered to send the letter to customers' current addresses.
Wow!!! Thanks for sharing this. This is another symptom of what I think is defective management. Too much work for whom??? I have done things for my clients that sometimes involve a crazy amount of work but sometimes the amount of work isn't the point. If something needs to be made right, then that is all there is to it. I would like to know WHO decided if this was too much work or not. This is definitely an ethical issue and it seems to me that the person who decided it was too much to work to reconcile the addresses may have been the same person who thought it was too much work to adequately protect the data. I guess this person hasn't thought of what it might be like if roles were reversed and someone else was affecting their fate and whether they let them know about it or not.
bill2009
Contributor
Contributor
Posts: 351
Joined: 03 Mar 2005 14:22

Re: Peoples Trust Privacy Breach

Post by bill2009 »

jeremy wrote:
adrian2 wrote:
jeremy wrote:I moved my money out of PT because they are too disorganized to notify me that my information has been compromised. They have my current address and have sent mail here, but I have not received the letter. If it wasn't for online forums and checking my credit reports, I wouldn't have known about the breach or that I was affected.
Maybe your info was not compromised, and that's the reason you did not get the letter?
I confirmed with Peoples that I was compromised, and that they sent the letter to my old address. Something about it being too much work to validate the addresses in the compromised database with the current addresses in the customer database. Seems a bit deceptive to tell people something like "only a small percentage of clients were affected, and they were sent the letter" when they couldn't be bothered to send the letter to customers' current addresses.
I seriously think that PT - and probably - most of the smaller players - are at risk for hacking. This stuff is hard and an IT department of 50 or whatever people won't be able to ride herd on the needed infrastructure or the actions of the rest of the staff. I don't worry about my money as such because of, ultimately, CDIC backing but these kind of events are just going to continue.
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Re: Peoples Trust Privacy Breach

Post by Bylo Selhi »

jeremy wrote:I confirmed with Peoples that I was compromised, and that they sent the letter to my old address.
Prudent people who move pay Canada Post to forward mail from their old address to their new address for at least a year. Did you do that? Maybe you have a beef with CPC over failure to forward the fateful letter.
Seems a bit deceptive to tell people something like "only a small percentage of clients were affected, and they were sent the letter"
The statement can be true without it being deceptive. That has nothing to do with whether any of the affected clients moved. The breach affected only applicants in a particular timeframe. They could well represent "only a small percentage of [total] clients."

I agree that it's sloppy to send the letters using the addresses on the compromised applications rather than the current addresses they have on file. OTOH consider someone who made an application but never followed through with the void cheque. They don't have an account with PT but their information was still compromised. In those situation PT is notifying non-clients. Perhaps they went beyond what they're required to do in this respect.

Finally, you should be happy that you moved. Anyone who tries to use your compromised data will run into trouble when the address they use doesn't agree with what the credit reporting agencies have on file. In that sense you're more secure than those of us who didn't move even if only we got the letter ;)
they couldn't be bothered to send the letter to customers' current addresses.
Is that what they actually told you or is that just your inference? Perhaps instead of consciously deciding not to be bothered it never occurred to them to consider people who moved. Perhaps they assumed that people have their mail forwarded when they move. I don't know. But unless someone in a position to know told you explicitly that "they couldn't be bothered" then with respect, neither do you.
bill2009 wrote:I don't worry about my money as such because of, ultimately, CDIC backing but these kind of events are just going to continue.
This really has nothing to do with CDIC. In any case your money wouldn't be at risk because all a hacker can do online is transfer funds between a PT account and some external account. A hacker would have to also compromise that account in order to hijack your money.

But in any case, according to PT this security breach did not include account information. This breach isn't about money on deposit at PT (which is CDIC's concern) but rather about a hacker using purloined personal information to commit identity theft.
Sedulously eschew obfuscatory hyperverbosity and prolixity.
User avatar
AltaRed
Veteran Contributor
Veteran Contributor
Posts: 33398
Joined: 05 Mar 2005 20:04
Location: Ogopogo Land

Re: Peoples Trust Privacy Breach

Post by AltaRed »

I was one of those that had my data compromised and received a letter from PT, but while I am pissed off about that and the likelihood that PT management (and/or their staff) likely took the easiest/cheapest/laziest way out when it comes to protecting data, it is hardly a world class transgression that some here appear to make it out to be. Certainly not enough for me to not avail myself of relatively more attractive interest rates, nor to fear my account will be accessed. It is now probably safer to have money there than with other 'lower tier' institutions (can think if credit unions, perhaps even CDF with a similar website/interface) which probably bought their website package from the same/similar supplier and/or contract out their IT work.

[rant]To add to Bylo's comment on address changes, every time I have moved, I have bought at least one year's worth of Canada Post/US Post re-routing of mail. Those who do not will likely miss an address change on something important OR worse, have mail going to the new folks at the old address, which I consider highly uncourteous behaviour. The folks I bought my current place from obviously failed to do any of that....requiring me to dump it back into the superbox (if I think financially important) or mostly tossed in the trash.[/rant]
Imagefiniki, the Canadian financial wiki The go-to place to bolster your financial freedom
jeremy
Contributor
Contributor
Posts: 421
Joined: 18 Nov 2010 13:53

Re: Peoples Trust Privacy Breach

Post by jeremy »

Bylo Selhi wrote:
jeremy wrote:I confirmed with Peoples that I was compromised, and that they sent the letter to my old address.
Prudent people who move pay Canada Post to forward mail from their old address to their new address for at least a year. Did you do that? Maybe you have a beef with CPC over failure to forward the fateful letter.
I moved more than a year ago and notified Peoples Trust at that time. My issue is not with Canada Post.
Seems a bit deceptive to tell people something like "only a small percentage of clients were affected, and they were sent the letter"
The statement can be true without it being deceptive. That has nothing to do with whether any of the affected clients moved. The breach affected only applicants in a particular timeframe. They could well represent "only a small percentage of [total] clients."
I realize it could still be a fraction of their total client base, but I find the implication that "if you weren't notified, you weren't affected" to be deceptive when they didn't put their best effort into notifying affected clients.
Finally, you should be happy that you moved. Anyone who tries to use your compromised data will run into trouble when the address they use doesn't agree with what the credit reporting agencies have on file. In that sense you're more secure than those of us who didn't move even if only we got the letter ;)
Yes, I have realized that. I'm still not pleased that my other identifying information was compromised.
they couldn't be bothered to send the letter to customers' current addresses.
Is that what they actually told you or is that just your inference? Perhaps instead of consciously deciding not to be bothered it never occurred to them to consider people who moved. Perhaps they assumed that people have their mail forwarded when they move. I don't know. But unless someone in a position to know told you explicitly that "they couldn't be bothered" then with respect, neither do you.
As I posted above, they told me that it was too much work to validate the addresses.
Chuck
Veteran Contributor
Veteran Contributor
Posts: 2048
Joined: 21 Feb 2005 11:48
Location: Manitoba

Re: Peoples Trust Privacy Breach

Post by Chuck »

AltaRed wrote:I was one of those that had my data compromised and received a letter from PT, but while I am pissed off about that and the likelihood that PT management (and/or their staff) likely took the easiest/cheapest/laziest way out when it comes to protecting data, it is hardly a world class transgression that some here appear to make it out to be.
Probably true. BTW there is a standard out there for Payment Card Industry data security (google PCI DSS standard if you want to read all about it). Full PCI compliance is onerous, as it probably should be, and that makes it expensive. Right now, there doesn't seem to be sufficient incentive for corporations to make the upgrades (spend the $$$) to their IT systems/processes to be PCI compliant certified. Breaches are still infrequent and consumer awareness is low. If consumers started to be sticklers and insist on PCI certification (kind of like the good housekeeping seal of approval), you'd would likely witness a sea change in corporate behavior in this area.

Interestingly, I tried googling "is <big 5 bank name> PCI compliant" and got no useful results. Lot's of mumbo jumbo about the banks recommending all their credit card merchants be PCI compliant, but no statement of compliance from the bank itself. It could just be my search skills, but you would think any corporation who was PCI certified would brag about it. The fact I can't easily google up some web page stating that, for example, TD is a certified PCI complaint institution makes me go "hmmm".
NOVICE99
Contributor
Contributor
Posts: 444
Joined: 03 Dec 2005 21:45

Re: Peoples Trust Privacy Breach

Post by NOVICE99 »

Also got THE letter, albeit rather late. Called and confirmed my balances, they gave me the "assurance" that transfer of my info to their new database would ensure my privacy (but it's the same data).

So, I saw this site advertising ID alerts (discounts for being an employee of X Bank), and am wondering if anyone has subscribed to this service and what do you think? At this stage, I'm hesitant to give my information to yet another company, because if they get hacked, the hackers will have access to quite a lot of private information in one spot.

http://www.idalerts.ca/

Any thoughts?
good4u
Contributor
Contributor
Posts: 248
Joined: 01 Oct 2012 17:10

Re: Peoples Trust Privacy Breach

Post by good4u »

NOVICE99 wrote:Also got THE letter, albeit rather late. Called and confirmed my balances, they gave me the "assurance" that transfer of my info to their new database would ensure my privacy (but it's the same data).

So, I saw this site advertising ID alerts (discounts for being an employee of X Bank), and am wondering if anyone has subscribed to this service and what do you think? At this stage, I'm hesitant to give my information to yet another company, because if they get hacked, the hackers will have access to quite a lot of private information in one spot.

http://www.idalerts.ca/

Any thoughts?
Thanks for your post.

While everyone will have a different opinion on the lengths to go with respect to protecting themselves after this unfortunate event, I am doing everything I can that doesn't get cost me anything. Here is a list of steps I am taking:
1. Ensure that flags are in fact on my credit file at both Equifax and Transunion (PT had not put one on my Equifax file so it was good that I checked and made sure the flag was put on)
2. Will be requesting my credit report from both bureaus every 3 months to check for any unusual activity
3. Made a list of who needs to know about this event (bank, utility companies, etc.) and ask them to put alert on my file the next time I talk to them or visit their business
4. Signed up for a no-fee CIBC credit card and subscribed to the free credit and fraud alert service offered through their credit cards

I think there is quite a bit of fear-mongering out there that convinces people to buy these ID theft products but I have found that very few of them do anything to "prevent" ID theft. Most just provide information on your credit report(s) and some assistance in getting your life straightened out after an ID theft incident has occurred. JMHO
investorscooter
Spammer
Spammer
Posts: 3
Joined: 19 Nov 2013 17:07

Re: Peoples Trust Privacy Breach Class Action

Post by investorscooter »

AltaRed wrote:
investorscooter wrote:On November 18, 2013, the law firms of Sutts, Strosberg LLP, Charney Lawyers and Branch, MacMaster LLP commenced a national class action against Peoples Trust Company ("PTC") on behalf of all persons in Canada whose personal information was compromised as a result of a privacy breach.
Thank you for that information. I will take a look. It would be appreciated, however, if you would disclose for transparency, what relationship, if any, you have with either of these law firms.

Added: I note the Contact Information form is not on a secure website, i.e. no https://, and believe it should be.

The Contact Information form for the class action website at www.peoplestrustprivacyclassaction.com is on a secure, encrypted website.
User avatar
Pickles
Veteran Contributor
Veteran Contributor
Posts: 4215
Joined: 27 Sep 2006 09:44
Location: Toronto

Re: Peoples Trust Privacy Breach Class Action

Post by Pickles »

investorscooter wrote:
AltaRed wrote:
investorscooter wrote:On November 18, 2013, the law firms of Sutts, Strosberg LLP, Charney Lawyers and Branch, MacMaster LLP commenced a national class action against Peoples Trust Company ("PTC") on behalf of all persons in Canada whose personal information was compromised as a result of a privacy breach.
...I note the Contact Information form is not on a secure website, i.e. no https://, and believe it should be.
The Contact Information form for the class action website at http://www.peoplestrustprivacyclassaction.com is on a secure, encrypted website.
Glad you fixed that. So did Peoples Trust.
Regards,
Pickles
NOVICE99
Contributor
Contributor
Posts: 444
Joined: 03 Dec 2005 21:45

Re: Peoples Trust Privacy Breach

Post by NOVICE99 »

Did anyone get an increase in phishing calls or email since this breach? Maybe we can start a list?

I got a call tonight from a "company representing PC Financial" who told me I had an extra 10000 PC points if I were to activate my card right away by giving one of their depts my card information. I called PC Financial and they advised no such calls were arranged by them because my card was activated a while ago.

How successful were you in getting Equifax and TransUnion to put a flag on all requests? PC told me they would only flag out-of-the-ordinary transactions.
BRIAN5000
Veteran Contributor
Veteran Contributor
Posts: 9063
Joined: 08 Jun 2007 23:27

Re: Peoples Trust Privacy Breach

Post by BRIAN5000 »

So if we don't get a call or letter from Peoples Trust does that mean we weren't hacked or they are just sloppy/don't know and we were hacked?

I have my account setup and transfers from linked BMO account works fine. Set up the wifes same way and it won't work. The guy that answers the phone to help with GIC's is also the support guy by the sounds of things, he couldn't fix it, wants another check.

I was able to create a TFSA and an E-savings but can't link to external account.
I'll leave it for a day and see if someone actually calls back wondering where the money is?
They are swamped you have to leave your number and get a call back.
This information is believed to be from reliable sources but may include rumor and speculation. Accuracy is not guaranteed
User avatar
Sumaco
Contributor
Contributor
Posts: 227
Joined: 13 Mar 2013 22:14
Location: Planet Earth

Re: Peoples Trust Privacy Breach

Post by Sumaco »

BRIAN5000 wrote:So if we don't get a call or letter from Peoples Trust does that mean we weren't hacked or they are just sloppy/don't know and we were hacked?
I sent them an email asking this specific question and received no reply. I suppose I could call them but I have not seen or experienced any anomalies related to this problem.

No entry was shown/listed on a recent Equifax report.
--
Ignorance is where learning begins.
jeremy
Contributor
Contributor
Posts: 421
Joined: 18 Nov 2010 13:53

Re: Peoples Trust Privacy Breach

Post by jeremy »

BRIAN5000 wrote:So if we don't get a call or letter from Peoples Trust does that mean we weren't hacked or they are just sloppy/don't know and we were hacked?
Could be sloppiness. You can call them and ask if your account was compromised. I didn't get any letter either, but when I called, they told me the letter was sent to my old address (they have my current address). They took my address again :roll: and sent me the letter.
Post Reply