Actual letter sent to Toronto Hydro customers regarding the data theft
Toronto Hydro’s CEO David O’Brien sent 685,000 letters last week, to inform customers that the “name, address, account number and the amount of the last bill of some of [their] customers has come into the possession of a third party not associated with Toronto Hydro.”
The letter doesn’t use the word “stolen” or “theft” although from the sounds of things, this is exactly what’s happened here. It also goes to great length to paint the picture that “you’re safe because no financial information was compromised.”
Yes, it could have been worse, but you know what Toronto Hydro? Although you didn’t leak my payment details, keeping my home address private is very important to me and I have to tell you, I’m pretty pissed off about this.
At least if my bank account is hacked, I can count on my bank to return whatever money goes missing. But I’m going to be living in my house for the next ten years and that means some criminal might now have my home address and knows where I will be a long time. Combine that data with my blog, Twitter, Flickr, etc. and there are valid reasons to be concerned.
Toronto Hydro says the servers with the actual payment information is “completely different from this one, and it’s separated by firewalls and other security”, but it worries me that companies might not be giving the same priority when it comes to protecting ALL of their customer data, not just financial details.
Toronto Hydro’s CIO Eduardo E. Bresani is ultimately the person I hold responsible for this and I hope that each of Toronto Hydro’s 685,000 customers demand some answers and refuse to accept that breaches like this will be acceptable in the future.
If companies cannot protect confidential electronic information, it’s not so far fetched that we as customers start consider using pseudo names to prevent breached data from being correlated to public information by criminals.
NOTE: In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) does not require mandatory reporting of privacy breaches. Contrary to the strict laws in the US, Canadian companies can decide whether to notify the Office of the Privacy Commissioner and/or any company or individual whose information might have been compromised in the breach. This legislation needs to change.
Related posts:
- Let’s Go for an Important Walk this October 1st There is an old saying: “You can’t really understand...
- Living and Breathing IP – for Voice and Data It's finally happened: My company has *officially* moved to...
- Onebox: Hosted PBX Features over Standard Phone Lines Being in the industry, a lot of my friends...
- Award for best use of technology goes to… Toronto (not) On the weekend, I parked my car on Danforth...
{ 2 comments… read them below or add one }
I actually got one of those letters from my pension plan provider last year. I had to have my account number changed but I too was informed that no personal data was leaked other than my address (from what I can recall). Regardless, it is a frustrating situation and one that happens all too often.
I didn’t know, as per your note, that this was not a mandatory update. It would be interesting to see what stance our local politicians have on this issue. I agree, this is unacceptable in this day and age.
Good thing it was just names and addresses and not copies of customer’s photo ID.