# Security breach at People's Trust



## ShowMeTheMoney (Apr 12, 2009)

I just got a letter from People's Trust saying Chinese hackers got into their online applications database. The hackers have my name, address, email, telephone number, dob, sin. They say banking information is separate and not compromised. They put a flag at the credit bureaus for all their customers. 
Yikes.


----------



## Itchy54 (Feb 12, 2012)

yikes....don't want to get my mail....I have a pit in my stomach, bla

how does one contact the credit bureau??


----------



## Video_Frank (Aug 2, 2013)

I did not receive an email. Are you sure the email you received isn't a phishing expedition?


----------



## fatcat (Nov 11, 2009)

i got the same letter
never even ended up doing business with them in the first place
but i guess they kept all the information in a database which got hacked
and now in bc they want us to link our driving records to our health records with the new combined card
these idiots are clueless
either too stupid or too cheap to put proper protocols in place


----------



## cedebe (Feb 1, 2012)

Itchy54 said:


> yikes....don't want to get my mail....I have a pit in my stomach, bla
> 
> how does one contact the credit bureau??


I got the same letter in the mail yesterday. I've since thrown it into recycling, but I believe PT stated that they would contact the credit bureaus and basically put an 'alert' on the individual's account for 6 yrs. It would be up to the individual to have the alert removed sooner if that was his/her preference.


----------



## Video_Frank (Aug 2, 2013)

I should have waited until I checked the mailbox - got one too. I assumed you meant email with my earlier posting.


----------



## eulogy (Oct 29, 2011)

I haven't got the letter,,, yet. Maybe I need to rethink going after the highest interest rate because these smaller operations might not have the security, quality control or money to put in top of the line security.


----------



## mrPPincer (Nov 21, 2011)

Yeah I was kinda thinking the same thing, but too late now I guess, it's done and the chinese have all our info now.
Personally, I'd like the 'alert' to be permanent but I don't have much use for credit anyways.
I didn't receive the letter yet either :dread:


----------



## fatcat (Nov 11, 2009)

the alerts are in the process of being uploaded
once the bureaus get them (equifax and transunion)
they should be there for 6 years

but i would call and verify that they are there
you won't have to pay anything

if you just call and ask to have an alert placed (as i do routinely) they now charge you $6.20 for a 6-year alert

but in this case there will be no need to do that


----------



## Jay3 (Jul 16, 2013)

So what's the added security of the alert exactly? 

Say those chinese have our sin's and use them to do illegal stuff.....what's this alert do that would stop them from completing such illegal transactions?


----------



## eulogy (Oct 29, 2011)

Essentially, as far as I understand, is that the alert is that if someone tries to open credit in your name (that includes you) there are more steps to jump through. I'm not exactly sure what the exact steps are, but it may require the business offering credit to send you a letter to your address on file to approve such openings. And I think if someone checks your credit report (not necessarily for opening credit, like say a cell phone plan) they'll see the alert and know that they should be looking for a higher degree of proof.

It's not the end of the world to have this alert. I've heard of companies in the US that offer "credit security" services and people essentially pay them for this... and all they do is have your credit report flagged like this. Some people like the extra steps for opening credit.


----------



## leoc2 (Dec 28, 2010)

I have "_Identity Plus Solution_" as part of my TD Meloche Monnex home insurance. I will give them a call on Monday to see what they have to say.

http://www.melochemonnex.com/residential/identity_plus


----------



## james4beach (Nov 15, 2012)

Suspected phishing scam unless you can absolutely verify with PT that this breach indeed happened

Or if you still have the email, 'show source' or 'full headers' and post here, and I'll tell you if it's authentically from PT


----------



## Video_Frank (Aug 2, 2013)

It was snail mail, delivered to our mailing address. It wasn't email.


----------



## fatcat (Nov 11, 2009)

james4beach said:


> Suspected phishing scam unless you can absolutely verify with PT that this breach indeed happened
> 
> Or if you still have the email, 'show source' or 'full headers' and post here, and I'll tell you if it's authentically from PT


james, take a deep breath, it's a letter from pt, an actual letter, on paper, that kind ....

i spoke with the privacy officer from pt who was extremely forthcoming and helpful

they had an intrusion from the peoples republic of china ... that means that hackers _got in_ to their online application database ... what they did while in there is unknown, they may have harvested names and data, they may not have ... we need to assume that they did get data

1) if your name was in the database that may have been compromised, pt is in the process of sending fraud alerts to equifax and transunion, these fraud alerts will be on your accounts for 6 years and means that any attempt to use the database or get credit will be scrutinized with extra care and any credit grantor will be required to contact you to confirm that indeed it is you applying for credit

2) call equifax and transunion and verify that these alerts are indeed in place

3) update your information including contact phone numbers so creditors can verify with you any application 

4) if you use credit a lot, this may be a hassle and you can decide whether or not you want to keep the alert in place

5) if you are like me and use credit not at all, having the alert in place is a very good thing ... i had alerts on file before this happened because i no longer use credit and i want to de-risk from identity theft as much as possible ... if no fraud occurs and no creditor contacts the bureau you can call both credit bureaus and pay $6.20 and have an alert placed on your file which will last for 6 years ... if you no longer use or have no plans to use credit, i highly recommend doing this and it will be $12.40 well spent ... know that if you do want to apply for credit, you will have to jump through some hoops ... no going in and buying that maserati and driving it off the lot the same day ...


----------



## AltaRed (Jun 8, 2009)

fatcat said:


> if your name was in the database that may have been compromised, pt is in the process of sending fraud alerts to equifax and transunion, these fraud alerts will be on your accounts for 6 years and means that any attempt to use the database or get credit will be scrutinized with extra care and any credit grantor will be required to contact you to confirm that indeed it is you applying for credit


Which brings up a question I had not considered before. How do Equifax and Transunion get one's change in address, telephone number, etc.? Credit rating agencies are not normally on the list of address changes I would contact when I changed addresses.


----------



## fatcat (Nov 11, 2009)

AltaRed said:


> Which brings up a question I had not considered before. How do Equifax and Transunion get one's change in address, telephone number, etc.? Credit rating agencies are not normally on the list of address changes I would contact when I changed addresses.


i'm no expert here but i think they pick them (the changes) up pretty quickly

you have all kinds of people you deal with sending your data back to equifax and transunion ... your banks and credit card companies, landlords, the list is very long

but yeah, if you have a fraud alert, you definitely want to make sure they have an updated phone and address so creditors can contact you to verify


----------



## sags (May 15, 2010)

I considered using an internet based money program to store our financial information, so it would be accessible from different computers (in case my main computer blew up)..........but the danger of hacking made me decide to buy a memory stick and just keep updating it.


----------



## ShowMeTheMoney (Apr 12, 2009)

I should have been clearer this was a snail-mail letter, not an email. I'm keeping that letter. It might come in handy if I need to explain or prove that my personal info was breached and thus the flag on the credit report.


----------



## james4beach (Nov 15, 2012)

Wow a real breach... definitely not an email scam like I first thought.

While this is of course serious, one thing you should realize about IT security is that companies generally try to keep it secret when they've been hacked. Companies you deal with are compromised all the time, they just won't publicize it. So just because PT was transparent about it... don't get the idea that they're the only bank/credit union that's been hacked recently. These sorts of intrusions happen often. Sometimes they go unnoticed, sometimes they are discovered long after the fact, and sometimes they're noticed but kept secret due to fear of losing business.

And it's not just banks/credit unions that suffer data compromise. Many institutions you deal with are hacked all the time. Universities are a great example. All those student records (names, birth dates, SIN numbers, and banking details) are at risk of theft and these intrusions happen often. I think it happened at the University of Brandon just last week.

This is common stuff... in the modern age you should expect that your private data is getting stolen all the time.


----------



## rivet (Nov 30, 2012)

I was just about to open an account at PT to take advantage of their TFSA rate, now what should I do, is their security still trust-able?
I don't think this is something we should just take it as sth. common, if banks store our info, they should have some thought of security system to protect it.


----------



## fatcat (Nov 11, 2009)

as james has said, this is now the order of the day (having your data all over the place)
so many computers and people have access to all this data now

if this had happened 5 years ago, i would have hit the roof, but nowadays it is just the way things are going to be
peoples trust has actually been very forthcoming and very good at dealing with this

i think now is probably an excellent time to open an account there since i think they are going to take their web security a _lot_ more seriously

i think that, unless you are a person that uses credit a LOT, it is well worth the time and trouble to proactively place a fraud alert on your credit file, it costs $6.20 for a 6-year alert and it is money well spent


----------



## ShowMeTheMoney (Apr 12, 2009)

I agree. Our data is out there for hackers to get. It's impossible to live off-grid. 
And that was the second letter (snail) I got this week. The first was from a doctor's office. Informing me that they had all their patient info backed up on unencrypted USB keys, that somehow "disappeared". All they suggest is that I could get my OHIP number changed. Since I haven't seen that doctor since my OHIP# was renewed (and I think it changes a bit every time), I'm no worried about that so much, but still. The letter also said they told me because they are legally obliged to do so (not because it's the right thing to do anyway). Neither letter mentioned any compensation for their failures, or for my problems should someone make use of this illegally obtained info that they did not secure. My data is out there, and it's my problem.


----------



## WillyA (Apr 14, 2011)

fatcat said:


> as james has said, this is now the order of the day (having your data all over the place)
> so many computers and people have access to all this data now
> 
> if this had happened 5 years ago, i would have hit the roof, but nowadays it is just the way things are going to be
> ...


All the other cases I have heard it is usually that they lost the file or it went missing this is one of the first ones that they were actually able to pinpoint up to where the attack came from. If I had an account with people's trust I would be freaked out right now in addition to the alert placed on the file, credit monitoring is a good one as well I know for the student loan file that got missing the government offered that as well.

I almost opened an account with them earlier in the year, opted for ing and mina instead. I am safe for now I guess


----------



## MRT (Apr 8, 2013)

fatcat said:


> ...
> i think that, unless you are a person that uses credit a LOT, it is well worth the time and trouble to proactively place a fraud alert on your credit file, it costs $6.20 for a 6-year alert and it is money well spent


good advice, fatcat - I used to see this all the time in my past job - typically your phone number in included in the alert message, meaning that anyone reviewing the bureau report (e.g. credit grantor) is supposed to call the client at that number to verify their identity and to confirm that the transaction/application is legit.


----------



## james4beach (Nov 15, 2012)

Perhaps now is a good time for all of us to go order another round of free credit histories from Equifax and Transunion.

I like the phone method, through the automated voice prompts. A bit annoying but I found it easier than mailing the form
http://www.greatponzi.com/guide/credit_history.html


----------



## ShowMeTheMoney (Apr 12, 2009)

I tried the phone method. Equifax didn't work at all, and TransUnion wouldn't give it to me after 2 tries with 2 different credit cards to verify my id. So I bit the bullet and paid to get the reports online.
Everything is in order. I see the flag on the TransUnion report:
￼
RECEIVED NOTIFICATION OCTOBER 2013 THAT CONSUMER MAY BE A COMPROMISE VICTIM. PRIOR TO EXTENDING CREDIT, PLEASE CONTACT APPLICANT TO VERIFY ALL INFORMATION. NOUS RECU AVIS EN MARS 2012 QUE CE CONSOMMATEUR A POSSIBLEMENT ETE VICTIME DE COMPROMISSION. AVANT D'ACCORDER DU CREDIT, VEUILLEZ COMMUNIQUER AVEC LE DEMANDEUR POUR VERIFIER TOUS LES RENSEIGNEMENTS.

However not on the Equifax:

No Special Services Message

No Consumer Statement on File


----------



## leoc2 (Dec 28, 2010)

leoc2 said:


> I have "_Identity Plus Solution_" as part of my TD Meloche Monnex home insurance. I will give them a call on Monday to see what they have to say.
> 
> http://www.melochemonnex.com/residential/identity_plus


I called today. They said they can only take action if (or when) I am defrauded. I asked if they would pay the monthly fee for something like MyCreditAlert ($20/month) or MyIdentityAssist ($9/month). They said no. I guess paying for prevention is not important to them. Maybe we should ask PT to pay for this type of service?


----------



## james4beach (Nov 15, 2012)

I'll say it again to be fair to them - I don't bank with them and I don't even recommend using them (for other reasons).

This kind of security intrusion is not unique to them. It does happen at other financial institutions, you just don't hear about it. Perhaps PT is more transparent and honest than other institutions?


----------



## alingva (Aug 17, 2013)

you might be interested in this www.idalerts.ca


----------



## Retired Peasant (Apr 22, 2013)

leoc2 said:


> Maybe we should ask PT to pay for this type of service?


The initial post says that PT put a flag on all affected customers at credit bureau.


----------



## pnky (Jul 16, 2012)

Wife and I have since got our credit disclosures from Equifax and Transunion. Both have entries to say that we may have been victims of a data theft. Equifax has a generic note to the effect of 'lost data by way of lost or stolen wallet or similar' while Transunion has a more meaningful note to indicate that we may have been victims of data theft and lenders must contact in person before approving credit.

I am hopeful that this will do the trick for us.


----------



## eulogy (Oct 29, 2011)

I never actually got a letter yet for this... so I'm hoping I haven't been one of the unlucky ones. Sending my papers in to get my credit reports (I do it twice a year), so we'll see if there's anything on the file.


----------

