Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Two Canadian Banks Probe Alleged Exposure of Customer Data

Fraudsters Claim Breach of 90,000 Bank of Montreal and Simplii Accounts
Two Canadian Banks Probe Alleged Exposure of Customer Data
Bank of Montreal branch in Montreal (Photo: Can Pac Swire via Flickr/CC)

(See latest update on this story.)

See Also: How to Build Your Cyber Recovery Playbook

Two of Canada's biggest banks are investigating claims by attackers that they accessed personal data for tens of thousands of their customers.

Both the Bank of Montreal, operating as BMO Financial Group, and Simplii Financial, a banking subsidiary of the Canadian Imperial Bank of Commerce, said they received reports on Sunday that client information had been compromised. BMO and CIBC are respectively Canada's fourth and fifth largest banks, by assets.

Bank of Montreal suspects that 50,000 of its 8 million Canadian clients' personal and account information may have been accessed, according to a statement issued by BMO Financial Group.

Meanwhile, Simplii Financial said in a statement that it's been alerted that about 40,000 of its 2 million clients' personal and account information may have been accessed. It says there are no signs that anyone who banks with CIBC was affected.

Both banks say they're investigating the alleged data exposure; neither has yet to confirm whether it believes the information was indeed accessed, or whether it has been able to debunk those claims.

But both banks say they are directly contacting all customers that they believe may have been affected.

Bank of Montreal Investigates

BMO says it was contacted by "fraudsters" on Sunday who claimed "that they were in possession of certain personal and financial information for a limited number of customers."

The bank says it believes that the attackers were operating from outside Canada. "We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO says.

BMO didn't immediately respond to a request for comment about whether attackers demanded the bank pay a ransom.

But a spokesman for BMO told Reuters that the attackers had threatened to publicly release the allegedly stolen information and said the bank was working with authorities to investigate the alleged exposure of 50,000 customers' personal data.

And CBC News reports that those claiming to be the hackers involved have threatened to release the personal information unless the banks pay a $770,000 ransom for its safe return.

Notification: Bank of Montreal Customers

BMO notification to customers on its website

BMO has a nonspecific alert on its homepage that reads: "Your security is our priority." It links to a security notice in which the bank says: "We received a claim that fraudsters gained access to certain personal and financial information for some of our customers."

The notice also notes: "We are calling each potentially impacted customer to offer complimentary credit monitoring, replace cards, ensure all passwords get reset, and determine if there was any financial impact. Customers will not lose money from this incident, as we will fully reimburse our customers for any financial impact of unauthorized transactions."

The bank says that customers with chip-and-PIN debit or credit cards can continue to use those cards, even if their accounts were potentially affected by the breach.

Unlike the United States, which standardized on chip-and-signature cards, Canada has followed Europe's lead and put in place chip-and-PIN cards, which can only be used at a point of purchase if the cardholder enters a four-digit PIN.

Information security experts point to chip and PIN as being the more secure approach. But in the U.S., many card issuers worried that requiring PINs would lead consumers to use their payment cards less often.

Simplii Financial Investigates

Simplii said it has "implemented additional online security measures in response to a claim ... that fraudsters may have electronically accessed certain personal and account information for approximately 40,000 of Simplii's clients."

"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," said Michael Martin, a senior vice president at Simplii Financial, in a statement. "We feel that it is important to inform clients so that they can also take additional steps to safeguard their information."

The bank's investigation continues. "We are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests," a spokesman tells Information Security Media Group. "While the issue affects a limited number of individuals, we are providing updates to all Simplii clients through social media, and via email messages. We are also reaching out directly to clients who may have been impacted."

The spokesman declined to comment on whether attackers were holding the allegedly stolen information for ransom, "except to say that it is our practice not to pay ransom demands."

Notification: Simplii Customers

Simplii alert to customers on its website

Simplii Financial is also displaying an alert to all visitors to its website saying it is investigating a report, received Sunday, that attackers accessed some of its clients' data.

"We are reaching out to those that have been affected to offer support," the bank says in its alert. "Simplii is extending free credit monitoring to impacted clients and we are committed to returning 100 percent of any money lost from affected accounts as a result of this issue." The bank said it's also replacing cards for affected clients and keeping a close eye on their accounts for signs of fraud.

"We have a dedicated team that is working to make this right for our clients," the bank says.

Bank of Canada Seeks Better Resiliency

The Bank of Canada, the country's central bank, recently launched a new cybersecurity initiative in collaboration with the country's six biggest banks.

The program is designed "to test and enhance the cyber resilience of the wholesale payments ecosystem," Filipe Dinis, chief operating officer of Payments Canada, which operates the country's payment clearing and settlement system, in a speech earlier this month.

"The goal is to have a rapid, collaborative approach to recovery should a key participant be affected by a serious cybersecurity event, such as the corruption of critical data that results in a prolonged operational outage," said Dinis, who's leading the project.

Executive Editor Jeremy Kirk also contributed to this report.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.