A Vancouver woman is sounding the alarm for millions of Canadians who have credit and debit cards, after information about her debit card was shared when it shouldn't have been.
Vanessa Acuña blames an "updating service" that some credit and debit card companies have that allows new account numbers and expiry dates to be shared with merchants customers have dealt with in the past.
Information about the sharing of this kind of information with third party companies is often buried in the fine print of bank and credit card agreements.
- Been wronged? Contact Rosa and the Go Public team
She thought the details of her Visa debit card — a debit card that can be used for online purchases — were secure.
"[I thought], 'How is this legal?'" Acuña said after discovering PayPal was given the new expiry date on her Visa debit card without her knowledge.
Visa — and other major credit cards — have "updater" programs, that automatically provide updated customer credit card information to subscribing merchants, including account numbers and expiry dates.
Companies automatically opt-in their customers to the service, whether they realize it or not.
The program is meant to be a convenience for customers and help merchants avoid missed payments on recurring bills.
"I have huge privacy concerns … I would really prefer that they tell you and give you an option to opt out of it. But that's not what they did."
The merchants who get the automatic updates pay for the service.
Thomas Keenan, author of TechnoCreep — a book about how technology is eroding privacy — says financial institutions need to ask themselves if they should be making money by sharing customers' information.
Author Thomas Keenan says credit card holders trade privacy for the convenience of the automatic updater service. (Colin Hall/CBC)
"Banks make a business out of information sharing. They actually have services — Visa, MasterCard — and they are paid to share that information," said Keenan.
Acuña believes that updater service is the reason the online payment system got her card information when it shouldn't have — but when she tried to find out why it happened, she couldn't.
'The bank wouldn't do that'
Acuña thought what happened to her private information was her decision, when PayPal sent an email in March asking her to update her debit card's expiry date.
On March 29, Earl Enterprises announced that visitors to its chain restaurants may have had their credit card information stolen. If you ate out at specific Buca di Beppo, Chicken Guy!, Earl of Sandwich, Mixology, Planet Hollywood, or Tequila Taqueria, you may have had your credit or debit card information stolen.
She says she ignored the request, since she opened the account five years ago and rarely shops online and didn't want PayPal to have her new card information.
"Two days afterwards, I got another email saying, 'Oh we updated for you, so you don't have to.' And I just thought 'what?'" Acuña said.
She spent hours on the phone with TD Canada Trust, PayPal and Visa Canada, but instead of getting an explanation, she got three different answers.
PayPal told Acuña it got her new expiry date from her "financial institution or her credit card company."
Visa and TD both denied giving PayPal that information.
"[They said] they don't know who gave PayPal my information, which I don't think is a very good answer," Acuña said.
It turns out Acuña's information shouldn't have been shared at all, since only Visa credit — not debit — cards are part of the updating agreement with TD.
Yet, none of the three companies involved will explain how her new debit card data ended up with PayPal.Acuña spent hours on the phone trying to figure out why PayPal was given the new expiry date on her Visa debit card. (Richard Grundy/CBC)
After initially telling Go Public it got Acuña's information from the "account update services," PayPal backtracked a few days later, saying the account updater service "doesn't apply" in Acuña's case.
So, how did PayPal get her new expiry date? It won't say, citing customer confidentiality — even though Acuña agreed to waive confidentiality to allow the company to answer Go Public's questions.
Visa Canada and TD also won't say who gave her card's new expiry date to PayPal.
"Visa does not automatically update expiry date information on behalf of TD Visa debit cardholders," a Visa spokesperson said in an email. "Please refer your questions to PayPal."
"TD has no ability to automatically update expiry date information with merchants on behalf of TD Visa debit cardholders. For more information about the service, we recommend reaching out to Visa," wrote Geraldine Anderson from the bank's public relations department.
'Totally unacceptable'Ann Cavoukian, former privacy commissioner of Ontario, says customers should have to agree to opt-in to services that share updated credit card information with third parties. Right now, customers are automatically opted-in to the service. (Joe Fiorino/CBC)
The lack of answers is why banks and credit card companies shouldn't be sharing any credit or debit card information without clear consent from customers, says Ann Cavoukian, who heads up the Privacy by Design Centre of Excellence at Ryerson University in Toronto.
"It's totally unacceptable," said Cavoukian, who worked as Ontario's information and privacy commissioner from 1997-2014.
"PayPal is one thing. But your own personal bank where your financial info is stored and kept? As I keep telling businesses, this is not your information. The information belongs to the individual."
She wants to see banks get what she calls "positive informed consent" before providing a third party with a customer's information.
"The banks have to step up and do this. They can't just assume you're OK with them sharing your new credit information."
Cavoukian wants to see Canada's privacy legislation, the Personal Information Protection and Electronic Documents Act, upgraded to match the one the European Union introduced in May. The General Data Protection Regulation is considered to have some of the world's strictest online privacy rules.
– Credit card information for Hanover County residents may have been compromised after a data breach of the Hanover County online payment system. County officials say they were recently notified that online payments made between August 1, 2018 and January 9, 2019 through the Click2Gov portal were compromised.
For now, if customers want to stop merchants from getting updated credit card information, they have to opt out through their banks — although it's unclear if that would have helped Acuña.
"I'm capable of putting in my information online if I need to. It's not a hassle for me, so I definitely would like the option," Acuña said
She says from now on, she'll take the time to read through all the legalese on those lengthy card agreements, and make sure she opts out of anything that allows financial institutions to share her information with third parties.
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories and hold the powers that be accountable.
We want to hear from people across the country with stories you want to make public.
Submit your story ideas to [email protected] .
Follow @CBCGoPublic on Twitter.