(Jamaica Gleaner) Client records of CIBC FirstCaribbean International Bank have been accessed by outsiders, but the bank says the breach should not be described as a hack.
The security breach occurred at the facility of a third-party service provider, said the regional bank in a circular to accountholders advising that the personal information of local and regional cardholders had been exposed.
The bank has placed high-risk cardholders on alert to the possibility of fraud.
“This incident may potentially affect some of your personal information. The information may have included your name address, telephone number, identification information, card number and expiry date,” said the circular to the bank’s Jamaican clientele dated February 13 and issued via postal mail.
Managing director of CIBC FirstCaribbean Jamaica, Nigel Holness said Tuesday that the perpetrators potentially copied cardholder’s personal information. He said the origin of the breach was unknown, but said that it affects “cardholders beyond Jamaica”. He did not disclose the name of the facility that had been breached.
Holness declined to classify the breach as a hack.
“I would not say it was a hack because that is a technical term and I am not of that technical expertise,” he told Wednesday Business. “What I can say is that in all our internal briefing, the term hack was not used.”
But technology expert Andrew Gordon says the bank is engaged in semantics.
“Hacking is the method used to breach security,” said Gordon, a technology lecturer at the University of Technology, who explained that companies avoid using the word hack to soften the impact. “From a public-relations perspective, you have to make it not look so bad.”
The bank operates 13 branches locally, but is part of the largest regionally-listed financial services institution, located in 17 countries around the Caribbean with more than US$11.5 billion in assets and a market capitalisation of US$2.1 billion in 2012.
The third-party vendor was not terminated. It has re-enforced its defences, according to Holness, who was unable to explain the new measures.
In its letter to cardholders, CIBC FirstCaribbean stressed that none of its accounts were compromised, but said that the bank would compensate any affected clients for losses arising from the unauthorised access.
“We have not detected any instances of our client accounts being compromised. However, we continue to monitor for any suspicious activity and ask our clients to do the same, online where possible,” said the bank’s letter signed by manager of Customer Care and Sales Centre in Jamaica, Stacy Davis Thompson.
The circular provided contact numbers for customer-care centres in six CIBC FirstCaribbean markets, including Jamaica, as well as two toll-free numbers for other countries.
Thompson declined an interview request in order to respect media protocol.
However, a call centre rep in Jamaican said, when asked, that the bank would try to pre-empt fraud by issuing new cards with new numbers to high-risk cardholders.
“We are taking precautionary measures to change out cards,” said the agent at the bank who responded to this reporter. “I can’t say if it will be all cards, but I can say it will be a seamless transition.”
The agent, who later declined to be identified to respect media protocol at the bank indicated that agents were also not told of the cause or scope of the breach.
“We are not saying that the system was hacked into; we are just doing due diligence on our part,” she said.
CIBC FirstCaribbean is the second high-profile corporation to be targeted by hackers this year.
In January, telecoms firm, Digicel, experienced a security breach in which customers’ personal information was allegedly accessed.
According to reports, the hacker was able to access personal information, including text messages and voicemail, of thousands of Digicel customers. It is alleged that the hacker also made attempts to blackmail the company with the stolen information. The police arrested one man in that case.