Bank of Montreal and online bank Simplii Financial have both disclosed apparent data breaches, warning that “fraudsters” claim to have accessed personal and account information belonging to tens of thousands of customers.
BMO, which is Canada’s fourth-largest bank, said the alleged hackers claim to have stolen sensitive information, likely belonging to fewer than 50,000 clients, and threatened to make that data public. The bank believes the attack originated outside Canada.
Simplii − a low-cost online bank owned by Canadian Imperial Bank of Commerce − also received notice of an alleged breach involving information for as many as 40,000 customers.
Story continues below advertisement
Both banks were contacted on Sunday by the alleged perpetrators, and revealed the apparent breaches Monday morning. The attacks appear to be related, a BMO spokesman said.
Also: CIBC profit climbs sharply despite cooling of mortgage growth
Canadian banks spend considerable resources to combat rising cyberthreats, and have been collaborating to head off attacks since at least 2000. There are recovery mechanisms in place in the event of an attack, and banks typically segregate data within their systems to control the scope of a successful breach.
But the urgency to protect critical institutions such as banks against cyberattacks has only intensified. Worldwide incidents such as the WannaCry ransomware attack in 2017, and this year’s disclosure by ride-sharing company Uber Technologies Inc. that a 2016 hack had exposed data belonging to hundreds of thousands of Canadians, have cast a spotlight on data-security concerns, and highlighted the damage a breach can do to customers’ trust.
BMO has a “thorough investigation” under way, according to spokesman Paul Gammal, and the bank has notified “all relevant authorities” as it assess the potential damage.
“We are confident that exposures identified related to customer data have been closed off,” Mr. Gammal said in an e-mail. “We are notifying customers who may have been impacted.”
The RCMP confirmed it “is actively looking into this matter with the collaboration of the affected banks,” but declined to comment further.
Simplii was launched last year and has about two million clients, most of whom are former President’s Choice Financial clients who were moved over to Simplii after CIBC, Canada’s fifth-largest lender, ended a two-decade partnership with Loblaw Cos. Ltd.
Story continues below advertisement
Story continues below advertisement
Simplii intends to reach out to customers who may be affected, and promises to fully reimburse any funds lost as a result of the fraud.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security measures,” spokeswoman Olga Petrycki said in an e-mail, adding: “We are investigating to determine the validity of the claims and the type of the information that may have been accessed.”
There is no indication that CIBC clients are affected by the breach. And the six other largest banks in Canada – Royal Bank of Canada, Toronto-Dominion Bank, Bank of Nova Scotia, National Bank of Canada, Laurentian Bank of Canada and Canadian Western Bank – confirmed there is no sign their customer data has been breached.
It is rare that a major Canadian bank would have customer data stolen, despite being regularly targeted. A recent survey by Ernst & Young LLP found that enhancing cyber and data security ranks as banks’ top priority for 2018. Developments in artificial intelligence and advanced analytics will help fend off attacks, the report suggests, but a “cybersecurity skills shortage” poses a challenge in the face of increasingly sophisticated attempts.
“I think financial institutions … are probably better prepared than most,” said Imran Ahmad, who leads the cybersecurity practice at law firm Miller Thomson LLP. “But this should serve as a bit of a wake-up call for other organizations.”
It’s also common wisdom that it’s likely impossible to stop every attack, and financial institutions make rich targets for hackers looking to steal data and make money. “It’s a business for them,” Mr. Ahmad said. “If they’re reaching out to the bank, it is most likely for financial gain.”
Story continues below advertisement
Both BMO and Simplii said it is their practice not to pay ransom demands as it encourages further fraudulent activity.
In recent days, two Simplii customers reached by The Globe and Mail discovered they had been locked out of their accounts, and that fraudulent e-mail transfers had been sent using their funds.
Jennifer Gaudet, a Simplii client in Ottawa, couldn’t log in on Friday or Saturday, and didn’t recognize the security questions used to verify her account. She reset them, but encountered the same problem the next day. When she contacted Simplii, she learned her account had been frozen, but not before an e-mail transfer using $2,889 of her funds was sent to a fraudulent e-mail address.
Ms. Gaudet now has a new account to replace the one that was compromised, but has been told it could take seven to 10 days to reimburse the $2,889 she lost, as well as a $3.50 fee for cancelling the e-transfer.
“I am very worried about how much information this hacker could have. Does he have my home address, my date of birth?” Ms. Gaudet said in an e-mail. “I feel violated by the whole situation.”
The Office of the Privacy Commissioner of Canada has been notified and is working to understand what the banks ”are doing to mitigate the situation,” a spokesperson said.
BMO and Simplii Financial, which is CIBC’s direct banking brand, are warning that “fraudsters” may have accessed some customer accounts.
BMO said it received a claim on Sunday, May 27 that the personal and financial information of “a limited number of customers” had been illegally accessed. The bank said it believes the attack originated from outside the country.
READ MORE: BMO, Simplii attack: Canadians describe illicit Interac e-transfers out of Simplii accounts
The bank said it is “confident” that “exposures identified related to customer data have been closed off.”
The warning from BMO follows similar news from Simplii, which said fraudsters may have electronically accessed data from 40,000 client accounts.
Simplii said it has implemented additional online security measures as it continues to investigate. The changes include enhanced online fraud monitoring and online banking security measures.
READ MORE: CIBC sees bumpy transition of PC Financial accounts to Simplii
Both banks said they are reaching out to clients and advised customers who notice any unusual activity to get in touch.
A message appearing on the Simplii app on Monday says that “fraudsters may send messages asking for personal information.” The bank said to send any suspicious correspondence to fraud@simplii.com.
Simplii said that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.
With files from the Canadian Press
Canada’s banking industry received a jolt Monday after Bank of Montreal and Canadian Imperial Bank of Commerce’s Simplii Financial reported they were investigating the possibility that “fraudsters” may have accessed some of their customers’ information.
Both BMO and Simplii said they had been contacted on Sunday by unnamed individuals claiming that information may have been accessed, with BMO saying fraudsters alleged they possessed “certain personal and financial information for a limited number of customers.”
A spokesperson for BMO said they believe the number of accounts affected is fewer than 50,000.
“Yesterday, we became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public,” said Paul Gammal in an email. “We are working with the relevant authorities and are conducting a thorough investigation.”
BMO, Canada’s fourth largest bank, said it believes the purported attackers initiated the assault from outside the country. The bank added that it was proactively contacting customers who may have been affected.
“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” the bank said in a statement.
BMO’s spokesperson said the issue appears to be related to a similar one at Simplii, CIBC’s direct banking brand. Simplii announced Monday that it had implemented additional online security measures in response to a claim that personal and account data of around 40,000 clients may have been accessed electronically.
While Simplii said there is currently no sign of clients banking through CIBC being affected, a spokesperson noted that it was trying to determine the validity of the claim and the type of information that could have been accessed. It also vowed to reach out to customers and to return 100 per cent of any money lost from a client’s account because of the situation.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, senior vice-president at Simplii Financial, in a release. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”
No similar issues were reported Monday by Bank of Nova Scotia, Royal Bank of Canada or Toronto-Dominion Bank.
The situation, however, comes at a sensitive time for the banks, especially as amendments to federal legislation governing financial institutions is being weighed in Ottawa.
Bill C-74, according to its summary, could expand the type of activities that banks engage in with fintech companies, “as well as modernize certain provisions applicable to information processing and information technology activities.”
Last week, Canada’s privacy commissioner expressed concerns about the legislation to the Senate banking committee, warning it may not strike the right balance between promoting innovation and protecting privacy.
Moreover, the situation at BMO and Simplii comes as lenders say they are investing heavily in technology and seeing increased mobile and online banking. And the high-profile data breach that struck credit reporting agency Equifax Inc. has already shown the impact of such problems.
“When you’re dealing with financial information, you should have the highest level of privacy protection possible,” said Dr. Ann Cavoukian, the former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre. “This is a real eye-opener.”
While not ruling out the possibility of a similar situation having happened, Cavoukian said she could not recall one in Canada with a Canadian bank. The former privacy commissioner was also critical of the language used in reporting the potential incidents.
“The question that that begs is why weren’t you engaging in those measures all along?” Cavoukian said.
The banks said they were working with various authorities on the claims.
A spokesperson for the Office of the Privacy Commissioner of Canada said they had been notified of the situation, “and we are working with the organizations to better understand what occurred and what they are doing to mitigate the situation.” Due to confidentiality provisions, the commissioner’s office said it could not provide further details at this time.
Banks, along with other industries, do report data breaches to the privacy office, the spokesperson said. The 2016-17 annual report to Parliament on the the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act showed that the financial sector made up 79 of the 325 PIPEDA complaints accepted by the office that year.
The commissioner’s office also noted that there have been “numerous high-profile data breaches in Canada” over the past few years.
A spokesperson for Canada’s banking regulator, the Office of the Superintendent of Financial Institutions, said they were aware of the incident, but that they are required by law to keep supervisory information about specific banks confidential.
Financial Post
Email: gzochodne@nationalpost.com | Twitter: GeoffZochodne
Two Canadian banks warned customers Monday that they have been the targets of hackers, and the personal information of tens of thousands of customers may have been stolen.
CIBC-owned Simplii Financial was the first to warn on Monday morning that hackers had accessed the personal and account information of more than 40,000 of the bank's customers.
The bank said it received a tip over the weekend that hackers had obtained the data, and after a preliminary investigation decided to go public on Monday.
"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," the bank's senior vice-president Michael Martin said in a statement.
Then later Monday morning, Bank of Montreal revealed that it, too, had received a tip that "fraudsters" had stolen data on up to 50,000 of the bank's customers, "and a threat was made to make it public," BMO spokesperson Paul Gammal said.
In BMO's case, at least, the tipsters were the hackers themselves.
"We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO said.
Outside Canada
"We have notified and are working with relevant authorities as we continue to assess the situation. We are proactively contacting those customers that may have been impacted and we will support and stand by them," BMO said.
When asked whether the hackers themselves were the ones who tipped off the bank over the weekend, Simplii did not expand on its initial statement.
Michael McCarthy of Edmonton told CBC News that a fraudulent transfer for $980 was sent from his Simplii Financial account on Saturday
"The bank said they blocked it, but it still hasn't been reversed," he said, adding that the bank hasn't told him when it will be corrected.
"My biggest concern is around my personal information in someone else's hands."
McCarthy said Simplii is issuing him a new bank card, but because the company is not a bricks-and-mortar institution, they're going to mail the new card, which is expected to take four to seven days to arrive. In the meantime, he can't access his money.
Unusual approach
Cybersecurity researcher Jérôme Segura with MalwareBytes Labs says it's very unusual for hackers themselves to tip off the company, because the moment they do, whatever information they have becomes effectively worthless.
"It's probably just that they were trying to blackmail them," he said in an interview with CBC News.
"They had access to a certain amount of data, probably showed proof that they had this data, and most likely were trying to blackmail the banks [by] saying, 'We're going to release this or else we can work something out,'" he said.
David Masson, the country manager for Canada at cyberdefence firm Darktrace, said it's reasonable to suspect that the fraudsters were the same group at both banks. Based on what he's seen, Masson said, he suspects the attack was likely what's known as a "spear phishing" attack.
Unlike a so-called phishing attack, which targets people indiscriminately in the hope that someone will fall into the trap, a spear phishing attack is more closely targeted at individuals, using techniques to make them hand over crucial data.
BMO says the fraudsters threatened to take whatever information they had stolen public. (Chris Helgren/Reuters)
"They'll even pick people inside banks and financial institutions and aim their attack at them," he said. "Even if you get 99 per cent to be smart, it only takes one."
In its statement Monday, BMO said the fraudsters appear to have been operating outside Canada.
It's unclear where Simplii came up with the 40,000 figure, as that number represents a tiny fraction of the roughly two million customers the bank inherited when CIBC took over Simplii — at the time known as President's Choice Financial — from Loblaws last fall.
Simplii said its investigation is continuing, and it will continue to notify affected clients "through all channels" if it is determined they have been compromised.
Will return 100%
"We feel that it is important to inform clients so that they can also take additional steps to safeguard their information," Martin said.
"If a client is a victim of fraud because of this issue, we will return 100 per cent of the money lost from the affected bank account," the release said.
There is no indication that other CIBC customers are affected, Simplii said.
Later in the day, other major Canadian banks told CBC News that they were not affected by whatever hit the two banks, with Royal Bank, TD and Scotiabank all saying there is no indication that any of their customers have been affected.
Fraud and security intelligence expert Amanda Holden at software firm SAS said Canadian banks, on the whole, do a much better job than some other industries when it comes to preventing fraud, because they deal with it far more often.
"Banks are particularly cautious on this, because they have a financial risk," she said in an interview. "They're a huge target, because the criminals want money."
Different notice
Holden said that most often a bank's first warning of fraud often comes from consumers who notice suspicious activity and report it. Only then do the banks see any trends and identify common points of a breach, such as individual stores.
The hacks revealed Monday are different, because, at least in BMO's case, it's the hackers themselves who tipped the bank off.
Banks are caught in a tough spot on this issue, Holden said, because they are pulled between two competing forces: they want to make it easier to use technology to bank with them, but they don't want to open themselves up to more fraud.
"They're still doing work to figure out how to protect the front doors," she said.