Dear Redshirts (updated)

If you ever wanted a perfect metaphor for IT security, watch Star Trek. Go ahead: bust your ass for your entire career, be the top of your class on the flagship of the fleet; when things start going bad because of a management decision you had no say in, you’re going to get killed and nobody in the next episode will even remember your name. Remember Galaxy Quest? “Let’s get out of here before one of those things kills guy.”

Because really, nobody cares about security.

Well, some of us do. And some of us that do, regardless of our best efforts, will still get screwed, because there’s not much you can do if your bank doesn’t.

Sweet Jeebus. To sum up, an American scrapyard owner has had to go to court in Maryland to prevent the CIBC from sending him any more of its clients’ confidential transaction information. No kidding. How does the mind boggle? Let me count the ways:

  1. The CIBC handles internal branch-to-branch communications by unencrypted fax. In terms of modern information technology, this is like sending your cave drawings via brontosaurus express. It is two trilobites tied together with a long string. I realize that things get pretty hectic between 10:00 and 4:00, but you guys might want to take a look at the landscape; the world’s changed a little since 1978.
  2. Apparently, nobody bothered to ask what actually happened to all those faxes with people’s names, addresses, phone numbers, bank account, SIN numbers and signatures that were sent to somewhere but never received at the other end.
  3. The guy receiving all this stuff called the CIBC in 2001, as in “2004 minus 3” to tell them about it, and got the brush-off.
  4. The CIBC claims they responded to Mr. Peer in 2002, and thought the problem was solved, a thinking that apparently didn’t involve “checking”. Nevertheless,
  5. The bank is now spinning for damage control, saying that the guy they were accidentally sending extremely-private faxes to “failed to co-operate with CIBC’s attempts to solve the problem”, a sure sign that they know that this is huge-for-sure.

The enormity of a fuckup like this defies description; even so, the CIBC should wonder how lucky they were that his next phone call wasn’t directly to the Mob, who would have been more than willing to help him out. It wouldn’t surprise me to hear that a full third of the CIBC’s legal department actually soiled themselves reading the Globe & Mail today.

“Boss, I read the Globe & Mail this morning, and I’ve soiled myself. I have to go home and change.”

“Take a cab. Expense it. On your way back, you should let your wife know that you won’t be home for dinner for the next five years.”

At a guess, I’d say that the CIBC is about to get taken to court and ridden like a pony. I don’t know if there’s one word to describe what happens when a major corporation gets gang-raped by an army of extremely excited lawyers set in the twin pursuits of justice and fat sacks of bank money while the national privacy commissioner is nearby cracking a bullwhip, waving a Stetson around his head and yelling “Yeehah!”, but if I did, this is exactly where I would use that word. I bet there’s one really long German word for it that they don’t use much.

I don’t know who’s in charge of information security at CIBC, but I’m betting nobody; a Tickle-Me Elmo doll in a blue blazer could probably have kept this one at bay. But let me get back to my original point about redshirts just in case whoever’s given that vacant-either-way job next is reading this: if you are in charge of security, and you can’t say “no” to management, then you are not in charge of security – you are in charge of being the fall guy.

Just once, I would have liked to see a redshirt say no.

UPDATE: He was still receiving missent faxes yesterday. So the CIBC has banned faxes completely, and they’re going to courier everything. Yeehah!

Update 2 – The Comedy Continues: “Courier service is something we’ve had since the 19th century,” said Robert Waite, a spokesman for the bank. “It works fine. It may take somewhat longer, but it’s actually an efficient system.”


  1. Posted November 27, 2004 at 1:38 am | Permalink

    In Canada, a signed fax is legally binding. Not much else can be legally binding in Canada, and also transmitted cross-country at the speed of porn.

  2. Mike Hoye
    Posted November 27, 2004 at 9:19 am | Permalink

    I’d love to see the wording of that particular statute. Yay for legislation that isn’t technology-neutral.

  3. Zeynep
    Posted November 27, 2004 at 10:22 am | Permalink

    There is a word that begins with “cluster”, but I suspect that wasn’t the word you had in mind. It isn’t German, at any rate.

    Very funny summary of the situation, anyway.

  4. Will "scifantasy" Frank
    Posted November 27, 2004 at 5:48 pm | Permalink

    The word that comes to my mind is “schadenfreude,” but that’s what we’re getting out of all this…

  5. Anonymous
    Posted November 28, 2004 at 12:37 pm | Permalink

    I bet there’s one really long German word for it that they don’t use much.

    I made one up:


  6. Mike Hoye
    Posted November 29, 2004 at 12:03 am | Permalink

    Re: “I’m betting nobody”:

    Note that in this open letter, Ron Lalonde (the CIBC executive who will apparently be taking the hit for the team on this one) is described as “Ron Lalonde, Senior Executive Vice President, Chief Adminstrative Officer, and Chief Privacy Officer.”

    Curiously, in this description of the man and his position, that “Chief Privacy Officer” bit doesn’t show up at all. In fact, right now the only result returned when you search the CIBC web site for the phrase “privacy officer” is the aforementioned open letter.

  7. Anonymous
    Posted November 29, 2004 at 2:11 pm | Permalink

    To be fair, his job description does include “legal”, “compliance”, “communications” and “other administrative functions” (whatever that means). So he’s a pretty good target for the fall guy.