Two customers say the Bank of Montreal violated their privacy and trust by allowing sensitive financial information to get into the wrong hands, then failing to address their complaints.
“I was shaking and I was angry and I had tears in my eyes,” said Loretta Albayate of Gibsons, B.C. “And I said, ‘What’s going on? Why does my ex-husband have all my banking information??”
Albayate said she was shocked when her ex-husband called to say the bank had sent her monthly account statements to his home. She later learned a BMO employee at her branch changed her mailing address to his – without her knowledge or consent.
“He had everything,” Albayate said. “He made it clear he went through my information because he wanted to know what I was up to and what I was doing.”
Carol Hryniuk of Lloydminster, Sask., said BMO breached her privacy when her elderly mother went in to a branch in Woodstock, Ont., and asked for a copy of her MasterCard statement. The teller mistakenly gave the woman a copy of Hryniuk’s instead.
“Our last names aren’t even the same,” Hryniuk said. “How could they give my MasterCard statement out to somebody who isn’t even on my MasterCard?”
“When it first happened, I had this sinking feeling in my stomach, because I thought: ‘What is my family learning about me that I don’t want them to know or share with them?'” Hryniuk said.
Albayate is suing BMO over the 2009 incident, which she said had serious repercussions for her. After her banking records were sent to her ex-husband, she said, he began stalking and threatening to hurt her unless she gave him money.
“He threatened to kill me. He threatened to burn my house down … if I didn’t give him two or three thousand dollars,” Albayate said. “The Bank of Montreal put me in a position where my life was in danger, and that was wrong.”
While they were married, Albayate said, her husband became accustomed to her financial support because she had sponsored him to come to Canada. After she got a divorce she put all accounts in her name only. She believes he persuaded someone at her bank to make the address change.
“To this date I still don’t know for sure how they got his address, and then went and changed my address to his address,” Albayate said.
After she refused to lend him money, Albayate said, her ex-husband was caught on a store surveillance tape following her while she was shopping. That was enough for the RCMP to issue a peace bond, ordering him to stay away from her.
“It all happened shortly after he got my banking information,” Albayate said. “He didn’t know what [money] I had until the Bank of Montreal told him.”
In its response to Albayate’s lawsuit, BMO acknowledges her address was changed in its system at her branch. However, it insists her ex-husband breached her privacy — not the bank — by opening the mail he received.
“Acts allegedly committed by [the ex-husband] were not reasonably foreseeable and were beyond BMO’s control … it was not responsible for [his] conduct,” the bank’s lawyer wrote in a letter.
Albayate said she decided to sue after complaints she filed – in person and by letter – went unanswered by BMO.
“To this date – more than two years later – I never received a reply,” she said.
Hryniuk said she also complained at her BMO branch and was told her MasterCard account is somehow “linked” to her mother’s in the computer system. She said the bank told her the accounts would be flagged to prevent further breaches, but no other changes would be made.
“I was told as far as quality improvements there is nothing that they are doing to change it for any other customer that deals with the Bank of Montreal,” Hryniuk said.
BMO didn’t respond to requests from CBC News for an interview. Instead, it sent this short statement: “We take the protection of customer information very seriously. BMO voluntarily self-reports all significant breaches to the Office of the Privacy Commissioner.”
The commissioner’s office in Ottawa receives more complaints about the financial sector than any other, the assistant commissioner says, adding a combination of human error and easy access to computerized records is the “perfect storm” for privacy breaches at banks.
“There are some very serious mishaps,” Chantal Bernier told Go Public. “So much of the privacy breaches we see are due to human error. And their consequence and occurrence is multiplied by information technology, which is really overwhelming us.”
Bernier said, for the most part, banks are very concerned about privacy and responsive to complaints. Nevertheless, she said, more training is needed.
“As good as the banks are they can’t afford to be any less than excellent. They have to have safeguards proportionate to the risks of breaches of the information they hold,” Bernier said. “Human error is the weakest link. It’s where we see most issues, hence how important training is.”
Ottawa is considering a bill that would make it mandatory for all federally regulated organizations, such as banks, to report every privacy breach, big or small. That would give officials a better sense of where the weaknesses are, Bernier said.
"We believe that it would increase the number of instances reported to us," she said.
Both Albayate and Hryniuk said BMO should do more to address what happened to them.
“I want to know what processes they have put in place to make sure that it will never happens again,” Hryniuk said.
“By speaking out maybe I can help other Canadians – because this is totally unacceptable,” Albayate said.