Bank of Montreal and online bank Simplii Financial have both disclosed apparent data breaches, warning that “fraudsters” claim to have accessed personal and account information belonging to tens of thousands of customers.
BMO, which is Canada’s fourth-largest bank, said the alleged hackers claim to have stolen sensitive information, likely belonging to fewer than 50,000 clients, and threatened to make that data public. The bank believes the attack originated outside Canada.
Simplii − a low-cost online bank owned by Canadian Imperial Bank of Commerce − also received notice of an alleged breach involving information for as many as 40,000 customers.
Story continues below advertisement
Both banks were contacted on Sunday by the alleged perpetrators, and revealed the apparent breaches Monday morning. The attacks appear to be related, a BMO spokesman said.
Also: CIBC profit climbs sharply despite cooling of mortgage growth
Canadian banks spend considerable resources to combat rising cyberthreats, and have been collaborating to head off attacks since at least 2000. There are recovery mechanisms in place in the event of an attack, and banks typically segregate data within their systems to control the scope of a successful breach.
But the urgency to protect critical institutions such as banks against cyberattacks has only intensified. Worldwide incidents such as the WannaCry ransomware attack in 2017, and this year’s disclosure by ride-sharing company Uber Technologies Inc. that a 2016 hack had exposed data belonging to hundreds of thousands of Canadians, have cast a spotlight on data-security concerns, and highlighted the damage a breach can do to customers’ trust.
BMO has a “thorough investigation” under way, according to spokesman Paul Gammal, and the bank has notified “all relevant authorities” as it assess the potential damage.
“We are confident that exposures identified related to customer data have been closed off,” Mr. Gammal said in an e-mail. “We are notifying customers who may have been impacted.”
The RCMP confirmed it “is actively looking into this matter with the collaboration of the affected banks,” but declined to comment further.
Simplii was launched last year and has about two million clients, most of whom are former President’s Choice Financial clients who were moved over to Simplii after CIBC, Canada’s fifth-largest lender, ended a two-decade partnership with Loblaw Cos. Ltd.
Story continues below advertisement
Story continues below advertisement
Simplii intends to reach out to customers who may be affected, and promises to fully reimburse any funds lost as a result of the fraud.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security measures,” spokeswoman Olga Petrycki said in an e-mail, adding: “We are investigating to determine the validity of the claims and the type of the information that may have been accessed.”
There is no indication that CIBC clients are affected by the breach. And the six other largest banks in Canada – Royal Bank of Canada, Toronto-Dominion Bank, Bank of Nova Scotia, National Bank of Canada, Laurentian Bank of Canada and Canadian Western Bank – confirmed there is no sign their customer data has been breached.
It is rare that a major Canadian bank would have customer data stolen, despite being regularly targeted. A recent survey by Ernst & Young LLP found that enhancing cyber and data security ranks as banks’ top priority for 2018. Developments in artificial intelligence and advanced analytics will help fend off attacks, the report suggests, but a “cybersecurity skills shortage” poses a challenge in the face of increasingly sophisticated attempts.
“I think financial institutions … are probably better prepared than most,” said Imran Ahmad, who leads the cybersecurity practice at law firm Miller Thomson LLP. “But this should serve as a bit of a wake-up call for other organizations.”
It’s also common wisdom that it’s likely impossible to stop every attack, and financial institutions make rich targets for hackers looking to steal data and make money. “It’s a business for them,” Mr. Ahmad said. “If they’re reaching out to the bank, it is most likely for financial gain.”
Story continues below advertisement
Both BMO and Simplii said it is their practice not to pay ransom demands as it encourages further fraudulent activity.
In recent days, two Simplii customers reached by The Globe and Mail discovered they had been locked out of their accounts, and that fraudulent e-mail transfers had been sent using their funds.
Jennifer Gaudet, a Simplii client in Ottawa, couldn’t log in on Friday or Saturday, and didn’t recognize the security questions used to verify her account. She reset them, but encountered the same problem the next day. When she contacted Simplii, she learned her account had been frozen, but not before an e-mail transfer using $2,889 of her funds was sent to a fraudulent e-mail address.
Ms. Gaudet now has a new account to replace the one that was compromised, but has been told it could take seven to 10 days to reimburse the $2,889 she lost, as well as a $3.50 fee for cancelling the e-transfer.
“I am very worried about how much information this hacker could have. Does he have my home address, my date of birth?” Ms. Gaudet said in an e-mail. “I feel violated by the whole situation.”
The Office of the Privacy Commissioner of Canada has been notified and is working to understand what the banks ”are doing to mitigate the situation,” a spokesperson said.
BMO and Simplii Financial, which is CIBC’s direct banking brand, are warning that “fraudsters” may have accessed some customer accounts.
BMO said it received a claim on Sunday, May 27 that the personal and financial information of “a limited number of customers” had been illegally accessed. The bank said it believes the attack originated from outside the country.
READ MORE: BMO, Simplii attack: Canadians describe illicit Interac e-transfers out of Simplii accounts
The bank said it is “confident” that “exposures identified related to customer data have been closed off.”
The warning from BMO follows similar news from Simplii, which said fraudsters may have electronically accessed data from 40,000 client accounts.
Simplii said it has implemented additional online security measures as it continues to investigate. The changes include enhanced online fraud monitoring and online banking security measures.
READ MORE: CIBC sees bumpy transition of PC Financial accounts to Simplii
Both banks said they are reaching out to clients and advised customers who notice any unusual activity to get in touch.
A message appearing on the Simplii app on Monday says that “fraudsters may send messages asking for personal information.” The bank said to send any suspicious correspondence to fraud@simplii.com.
Simplii said that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.
With files from the Canadian Press
Two of Canada’s largest financial institutions warn that data breaches may have leaked the banking information of thousands of customers.
Simplii Financial said Monday a hack may have compromised the personal and account information of about 40,000 customers.
The company issued a statement advising clients that it has “implemented additional online security measures” after it received a claim on Sunday that fraudsters may have electronically accessed certain personal and account information.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” Michael Martin, senior vice-president of Simplii Financial, said in a statement.
“We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”
One listener named Jennifer told 680 NEWS $2,889 was taken out of her CIBC Simplii account last week and the money is still missing. She also said her personal information was changed. She said she also reported this incident to the RCMP.
“It’s pretty scary … this [person] knows my home address, does he know my birth date? Does he know other things that I have provided to Simplii?,” Jennifer said. “I feel very violated.”
The company said there’s “currently no indication that clients who bank through CIBC have been affected.”
Simplii Financial is also reminding customers to use a complex password and pin.
Just like Simplii, The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.
“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation,” BMO said in a statement.
The bank said it believes the attack came from outside the country.
Both banks are asking their clients to monitor their accounts for any signs of unusual or suspicious activity, and to report such activity to them.
Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.
“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”
The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.
“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.
“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”
Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.
CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.
The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.
Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.
In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.
New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.
The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.
With files from News Staff
About your personal data
We at Narcity Media use Google Analytics to better understand our audience. We do not store any personal information on our servers.
Google Analytics will not receive personal information such as your name or exact location. Using your public IP address, it is possible to generate approximate geolocation coordinates, and the maximum accuracy represents the city you are in, or a city close to it.
The website will display advertising banners, and those are not targeted. We use Google's DFP (Double-click for Publishers) to display the ads, and the advertisers will not process your personal data.
We use a technology provided by Facebook called The Facebook Pixel. While we do not store the information ourselves, Facebook does. We will use the following information to retarget readers on Facebook : Age range, City. Learn more
Like almost every website, cookies are used. Those are simple text files written on your computer by your browser. They do not contain any personal information. There are used as identifiers.
In order to be compliant with the General Data Protection Regulation (GDPR), we require your consent before we can provide you with any of our services.
Since we do not collect user data, there is nothing for us to destroy if you decide to opt-out. Please know that we still offer the option to. You will find an "opt-out" button at the bottom of the page, in the footer. You will then be presented with the same consent screen next time you access the website if you opt-out.