Insider says Manulife Bank didn't protect customers' highly private information for years
Erica Johnson, Kimberly Ivany | CBC News | Posted: April 3, 2023 8:00 AM | Last Updated: April 3, 2023
Manulife says ‘never any evidence’ customers’ data has been misused
A Manulife insider is blowing the whistle on what he says were major privacy issues within the company's Canadian banking division that have potentially put thousands of customers at risk.
Customers' bank account information and other personal details — millions of names, addresses, account details, social insurance and credit card numbers, birth dates and transactions among other things — could be widely seen in a database with few privacy protections in place — accessed by more than 100 employees and shared with an unknown number of others, he said.
"Anyone who's been a customer of Manulife bank … your data could have been taken by someone," he claimed in an interview with Go Public.
"They could use it to steal your identity. They could open up a line of credit in your name, get credit cards in your name, sell the information to someone else, and there's no way to ever know if it happened."
Go Public has also obtained an internal Manulife report written in the spring of 2021 that mirrors the insider's concerns. It documents data and privacy issues with that database, which at that point had existed for almost a decade.
- Got a story you want investigated? Contact Erica and the Go Public team
But after upper management read the report, executives didn't want to fix the problem, says the insider, who was part of a group that sought solutions.
"I realized that this isn't something that's being taken seriously," he said. "This isn't something that [Manulife is] willing to spend much of any time or resources or money on fixing."
CBC News is not revealing the insider's identity because he fears professional repercussions.
Toronto lawyer Jennifer Davidson, who specializes in information technology, privacy and cybersecurity law says she, too, was disturbed after reading the internal report.
"It's cause for every person who has shared information with Manulife to be concerned," she said.
She says corporations handling sensitive personal data must have strong data security and abide by rules around limitation of use, such as only using data for the reason it was collected — and those safeguards appeared to have been lacking when the database was reviewed two years ago.
WATCH | Insider speaks out:
Manulife's global head of media relations, Luke Shane, declined an interview request, but wrote in a statement that the database "meets or exceeds regulatory requirements for privacy" and the company's internal privacy and security standards.
When Go Public asked whether the database met regulatory privacy requirements before concerns were outlined in the 2021 report, Manulife did not clarify.
Shane also wrote that Manulife holds itself "to the highest ethical and professional standards," including critical oversight of privacy and security of personal information.
'This could ruin lives'
The insider tells Go Public that a small database nicknamed "Databarn" was built years ago to help with general analytics and reporting purposes — created, he said, "by people who needed access to more data than they had" in order to make data analysis easier.
Over time, he says, the database grew — information was continually added and the circle of employees wanting access grew, too. It eventually became central for banking operations, he said, used for an expanding range of purposes such as helping Manulife run promotions, tax reporting and cross-selling.
In early 2020, he says, an internal review started because of Databarn's growth, and because employees relied on the database so heavily.
That's when big problems came to light, he said.
An in-depth investigation resulted in the aforementioned report by a lead data architect, in which he warned higher-ups about potential, enormous risk to customers.
"How we got here doesn't matter," wrote the author. "It's where we go from here that needs to be where we all focus our efforts."
The data architect was concerned that there was no way to know what had been done with Databarn data, where it had gone, who had seen it and what they might do with it.
"This could ruin lives," he warned.
Some of the key concerns outlined in the report include:
- The "principle of least privilege" was not being followed. (That's an information security concept whereby a user should only have access to the specific data needed to complete a required task.)
- Some credit card numbers were not masked — all 16 digits could be seen.
- Manulife employees were sending/receiving unencrypted emails that contained customers' private information.
- There was no ability to trace how or why data was being used, what data was looked at or when.
- Customers had not been informed Manulife would be putting their data in a database "with insufficient access controls and auditing in place."
On top of all that, says the report, personal identifying information and credit card information was being downloaded and stored on laptops, meaning the sensitive data could be taken home and stored on another computer.
"That's an enormous concern," said Edmonton data ethicist Katrina Ingram who studies how data is collected and used and advises companies on best practices.
She says people's private data should not be copied onto devices that are removed from the workplace.
"That certainly increases the risk … of that data falling into the hands of a bad actor."
In its statement, Manulife denied there was any breach of security safeguards and wrote that there was "never any evidence" customer data had been misused. The internal report, however, said there was no way to know.
Go Public asked how Manulife is sure that no evidence of a breach means none has occurred. The company did not answer that question clearly.
'Raised to the highest levels'
Manulife executives, managers, legal and tech experts looking into Databarn's problems reviewed the internal report, says the insider.
He says everyone expected high-level decision-makers to read the report and act quickly. Instead, he says, corporate concern seemed to move to the back burner.
Go Public has reviewed a recording of a Manulife meeting held months after the internal report sounded alarms over Databarn.
During the meeting, vice-president and chief architect Mike Pettersen had concerns about customers' private information.
"We have no idea if we've been breached or not … or we've had data loss, right?" he asked.
Also in a meeting, the chief information officer of the banking division, Jack Jones, says that the chief compliance officer Michael Kerr — who was not present — doesn't want resources taken away from revenue-generating initiatives to prioritize Databarn fixes.
"It's been raised to the highest levels and those are the decisions that have been made," said Jones.
Go Public asked Manulife to comment on its chief compliance officer's opinion that Databarn issues did not need to be a top priority.
Manulife's statement to Go Public did not address the question, but said "action was taken immediately to confirm the safety of customer information" and that more restrictions to internal access were added to the database after concerns were first raised.
The company did not elaborate further when asked to provide more information about any changes that may have been made to the database since the report was filed in 2021.
Legal issues
The internal report also warned that Manulife may have unknowingly violated a number of privacy principles in the years since Databarn had been created.
"Because of this we may be forced to disclose this situation to the government, our customers or both," says the report. "We need to assess this as soon as possible and take whatever steps are necessary."
The Manulife insider says, to his knowledge, the bank has not contacted the government nor its customers.
Manulife's spokesperson said that the company reports any breach of security safeguards involving personal information under its control that "creates a real risk of significant harm to an individual."
The spokesperson said no breach of security safeguards occurred, and there was "no issue that met the regulatory threshold for reporting."
A spokesperson for the Office of the Privacy Commissioner (OPC), Vito Pilieci, declined Go Public's interview request, saying in an email that the matter "could potentially become the object of a complaint before the OPC."
Davidson, the lawyer, says she sees plenty of reasons Manulife's database could have been problematic. Canada's privacy law — the Personal Information Protection and Electronic Documents Act — applies to any private-sector corporation that collects, uses or discloses people's personal information.
"It doesn't seem to be in compliance with the federal privacy laws, or the provincial privacy laws for that matter," she said, referring to the almost ten years Databarn existed before an investigation began.
"It may be in violation of the Bank Act and then further, there were PCI [payment card industry] compliance issues that were noted in the report."
Companies handling sensitive credit card information must comply with the Payment Card Industry Data Security Standard, to protect against credit card fraud.
Ingram, the data ethicist, says big privacy issues in large corporations like Manulife could seriously erode customer confidence.
"We need to be able to trust those kinds of organizations because there's so much sensitive information that we're sharing with them."
The Manulife insider says it's all taken an emotional toll — not solely because of the privacy issues discovered, but because the company seemed to ignore its responsibilities to customers.
"It's honestly terrifying," he said, ruminating about Manulife bank customers whose information was exposed for so many years. "These are real people, with real lives. They deserve better."
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrongdoing and hold the powers that be accountable.
If you have a story in the public interest, or if you're an insider with information, contact GoPublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.
Follow @CBCGoPublic on Twitter.