The National Bank of Canada wants to “follow you closely” using Adobe Analytics and possibly other similar tools. This is not a good idea. Our government should require all Canadian banks to adopt a single, unified Privacy Policy for their customers — and perhaps update PIPEDA to eliminate national security risks.
This policy should be customer-driven and, to be acceptable, must prevent any possibility of customer information being made available or leaked to any other entity (except credit bureaus, whose use should be strictly limited). Selling customer information should be considered a criminal act, and creating a potential high-risk loophole should be punishable by jail time for bank management.
It should be illegal to track customers for marketing purposes while they are performing their normal banking activities.
It should also be completely illegal to use servers that are not under the control of companies fully based in Canada. Canadian banks should not use any cloud service from Azure, AWS, Cloudflare, or Adobe. These are American companies and represent a very high national security risk. Adobe Analytics will not improve the security of any operation; quite the contrary. In fact, banks should not be authorized to use any cloud services outside the control of their own computer centres.
Adobe Analytics — A BIG RISK
The risk management at the National Bank of Canada appears to be relaxing, tolerating significant risk. From a banking and risk perspective, using Adobe Analytics is a highly questionable choice.
There are several reasons why people in security, privacy, and traditional IT view this as highly questionable and believe it should never be used in a banking application.
Attack Surface Expansion
Integrating Adobe Analytics or Adobe Experience Cloud into a bank’s public-facing site introduces third-party code that has access to sensitive user interactions in a high-trust environment. This creates a non-trivial risk from both security and privacy perspectives.
Data Gravity and Mission Creep
What starts as “anonymous UX metrics” can drift toward profiling and behavioural correlation once marketing gets involved. Even when data is described as “pseudonymized,” banks already hold enough information that re-identification is only one bad decision away.
Regulatory Tension
Financial institutions operate under PIPEDA and applicable provincial privacy laws. Adobe’s ecosystem was designed for retail and media, not for conservative banking threat models.
Third-Party Dependency for Core Insight
When analytics, segmentation, and testing logic live outside the bank, part of the bank’s situational awareness is effectively outsourced to a vendor whose incentives are not aligned with minimizing data collection.
It Solves a Marketing Problem, Not a Banking Problem
Customers do not choose a bank because a homepage was clever. They choose a bank for trust, stability, and discretion. Using Adobe Analytics during banking operations is extremely intrusive and frankly creepy.
From a pure security perspective, a safer model would include:
- First-party analytics only (bank-owned tools, not cloud-based)
- Strict Content Security Policy (CSP) with no dynamic third-party JavaScript
- Minimal behavioural tracking
- No cross-site or cross-session profiling
- UX improvements driven by aggregated, internal telemetry
Adobe: Poor Security Track Record
Known Major Incidents Involving Adobe
1. 2013 Adobe Data Breach
- Hackers accessed Adobe systems and stole customer data and source code.
- Initially, about 2.9 million customer accounts were compromised, including encrypted passwords and some payment info.
- Later estimates suggest tens of millions of accounts were affected — up to 38 million active accounts, potentially 150 million records exposed.
2. 2019 Creative Cloud Exposure
- A misconfigured database left about 7.5 million Adobe Creative Cloud user records publicly exposed. This was due to an exposed database, not a classic hack.
3. Ongoing Vulnerabilities and Exploit Activity
- Adobe products (e.g., Magento/Commerce and Experience Manager) continue to have critical vulnerabilities that are actively patched due to ongoing risk.
While the 2013 breach is the most widely cited, security researchers track several Adobe incidents over the years, including exposures and exploited vulnerabilities affecting customer data or system integrity.
Why Would a Bank Want to Associate With Adobe?
I can only guess that the bank’s marketing departments like the very shiny dashboards sold by Adobe. Beyond the added risk, it provides nothing of value to bank customers.
Finally, this is also a national security risk, as Adobe is an American company. Canadian banks should never trust any U.S. company with their most sensitive information — unless they have 100% control over the data, and it resides entirely in their own computer centre, never on a cloud provider, not even for a millisecond.