Hackers threaten to reveal personal data of 90,000 Canadians caught in bank hack

Hackers have threatened to release personal information for nearly 100,000 customers of two Canadian banks unless the lenders pay a $1-million ransom in cryptocurrency.

BMO and Simplii say thieves stole information, demanded $1M ransom for safe return

Hack victim

5 years ago
Duration 4:05
Aaron Saltzman reports on victims of a Canadian bank hack.

Hackers have threatened to release personal information for nearly 100,000 customers of two Canadian banks unless the lenders pay a $1-million ransom for its safe return.

On Monday, Bank of Montreal and online bank Simplii Financial — owned by CIBC — revealed that they learned over the weekend that the identifying personal information of a combined 90,000 different account holders at the two banks was stolen.

The thieves said they accessed information such as names, account numbers, passwords, security questions and answers, and even social insurance numbers and account balances, by exploiting weaknesses in the two banks' security systems.

"We warned BMO and Simplii that we would share their customers informations if they don't cooperate," a Russian-based email purportedly from the thieves said Monday evening.

How they did it

The email also provided a brief explanation of how they say they hacked the accounts. The hackers claim they were able to gain partial access to accounts by using a common mathematical algorithm designed to quickly validate relatively short numeric sequences such as credit card numbers and social insurance numbers.

The hackers say they used the algorithm to get account numbers, which allowed them to pose as authentic account holders who had simply forgotten their password. They say that was apparently enough to allow them to reset the backup security questions and answers, giving them access to the account.

"They were giving too much permission to half-authenticated account which enabled us to grab all these information," the email said, adding that the bank "was not checking if a password was valid until the security question were input correctly."

Bank hack: What’s at risk

5 years ago
Duration 1:26
Why financial breaches are so worrying.

The email demanded a ransom of $1 million in a cryptocurrency known as Ripple be paid for the return of the data by yesterday at midnight, otherwise the information would be released.

"These ... profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don't get the payment before May 28 2018 11:59PM," the email said.

That deadline has now passed. The cryptocurrency wallet where the hackers ordered the money to be paid was only opened last month, but already has the equivalent of almost $5 million US in it.

CBC News reached out to both banks for confirmation as to whether any ransom had been paid. 

"Our practice is not to make payments to fraudsters," Bank of Montreal said. "We are focused on protecting and helping our customers."

For Simplii's part, the bank said "we are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests."

To back up the veracity of their claims, the thieves shared identifying information about two Canadians — each a customer of each respective bank.

Hackers claim to have stolen the personal banking information of 90,000 customers at two major Canadian banks. (Mark J. Terrill/Associated Press)

'Very distressed'

CBC News contacted those two individuals, and both confirmed the veracity of the information the thieves sent out.

"I'm very distressed," one victim told CBC News when told their information had been stolen. "How could this happen? I barely slept last night, I'm so worried."

CBC News has obtained a list circulating online containing personal information of 100 BMO customers, which includes extensive personal information about them, including names, addresses, phone numbers, account numbers, birth dates and Social Insurance Numbers. CBC News has reached out to a number of those individuals, many of whom confirmed the accuracy of the information.

One Simplii customer — who was not named in the hackers' email claiming responsibility — says he was told by the bank on Monday evening that he, too, is a victim of the hack.

"It's concerning," Mike McCarthy of Edmonton said. "I'm not sure in this day and age what I can do to get control of that data again."

"Some of those things you can't change about yourself so I'm sure it's going to exist out there for as long as someone wants to look for it."

McCarthy says he's heartened by the bank's response, offering free credit monitoring and some other services. But he still worries about what he calls "glaring gaps" in the banking system. 

"Who knows? Maybe I go back to showing up at the teller," he said. "I don't want to, but who knows what might happen next?"​

With files from the CBC's Aaron Saltzman