November 29, 2014
WealthOne did call me back, which surprised me (see my first post).
The CSR that called assured me that W1 takes security very seriously and that personal information data is kept in encrypted databases. What happened, she said, is that the person whose mailbox was hacked was preparing a “regulatory” report (the CSR kept repeating the word “regulatory” as if it explained or excused anything) and that report contained my unencrypted personal info (and that of many others). I asked what the report was exactly but didn’t get an answer. I also didn’t get an answer as to why a copy of info that is normally kept encrypted was simply sitting in a mailbox unencrypted.
If I understood correctly what the CSR said, it appears that the fact that my date of birth (and other info) was in a mailbox is not considered sensitive enough to warrant further measures (or quicker intervention by W1). Apparently, since many people post their personal info online, including their date of birth, such info is not considered sensitive. (While my own understanding would be that a date of birth is one of the key elements of identity theft.)
The CSR offered to change my account number, which I accepted. She also offered me a one year subscription to TransUnion myTrueIdentity monitoring service. This appears to be a good deal as I would be alerted of key changes and includes “identify theft insurance” of up to $50,000” among other “features.” I haven’t yet checked to see if there would be a downside in using this service (such as making it much harder to move money around or open and close accounts) of if it’s truly useful.
November 18, 2017
Norman1: It looks like the key to the SIN reporting requirement is:
1. Lamaison noted that: You can still earn interest and file tax returns and other financial requirements if you DO NOT HAVE a SIN. Then they will match the names or call you to sort them out.
2. Norman1 added: If you DO HAVE a SIN, you LEGALLY MUST provide it to certain financial and other institutions.
Case 1 above lets people get down to business before their SIN comes through, or if they are not eligible to get one. Norman1's quote specifically explains this.
I have only a single GIC with Wealth One. Didn't get a letter about a security breach. Probably doesn't affect me. They have no E-mail or other on-line info about me anyway.