BMO and CIBC-owned Simplii Financial reveal hacks of customer data

Two Canadian banks warned Monday they have been targeted by hackers, and that the personal information of tens of thousands of customers may have been stolen — something that appeared to be confirmed in a letter to the media from someone who said they were demanding a $1-million ransom from the banks.

2 Canadian banks say accounts compromised: CIBC says 40,000, and BMO says up to 50,000 affected

Bank hacks

5 years ago
Duration 2:06
BMO, Simplii Financial reveal hacks of customer data

Two Canadian banks warned Monday they have been targeted by hackers, and that the personal information of tens of thousands of customers may have been stolen — something that appeared to be confirmed in a letter to the media from someone who said they were demanding a $1-million ransom from the banks. 

CIBC-owned Simplii Financial was the first to warn on Monday morning that hackers had accessed the personal and account information of more than 40,000 of the bank's customers.

The bank said it received a tip over the weekend that hackers had obtained the data, and after a preliminary investigation decided to go public on Monday.

"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," the bank's senior vice-president Michael Martin said in a statement.

Then later Monday morning, Bank of Montreal revealed that it, too, had received a tip that "fraudsters" had stolen data on up to 50,000 of the bank's customers, "and a threat was made to make it public," BMO spokesperson Paul Gammal said.

In BMO's case, at least, the tipsters were the hackers themselves.

"We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO said. 

Someone claiming to have the stolen data sent a letter to media outlets across Canada later in the day, threatening to sell the information to "criminals" if the banks do not pay a $1-million ransom by 11:59 p.m. 

"Criminals will use Simplii and BMO client informations to apply for products credit using social insurance number, date of birth and all other personnal info," the letter said. 

The email ended with a sample of the information in question: the names, dates of birth, SIN and account balances of an Ontario man and a woman living in B.C. 

The woman, who asked not to be named, confirmed when contacted by CBC News that the information in the email, which also included the answers to her three security questions, was accurate. 

"Holy shit," she said. "I'm very upset about this… How could this happen?" 

Outside Canada

"We have notified and are working with relevant authorities as we continue to assess the situation. We are proactively contacting those customers that may have been impacted and we will support and stand by them," BMO said. 

When asked whether the hackers themselves were the ones who tipped off the bank over the weekend, Simplii did not expand on its initial statement.

Michael McCarthy of Edmonton told CBC News that a fraudulent transfer for $980 was sent from his Simplii Financial account on Saturday 

"The bank said they blocked it, but it still hasn't been reversed," he said, adding that the bank hasn't told him when it will be corrected. 

"My biggest concern is around my personal information in someone else's hands."

McCarthy said Simplii is issuing him a new bank card, but because the company is not a bricks-and-mortar institution, they're going to mail the new card, which is expected to take four to seven days to arrive. In the meantime, he can't access his money.

Unusual approach

Cybersecurity researcher Jérôme Segura with MalwareBytes Labs says it's very unusual for hackers themselves to tip off the company, because the moment they do, whatever information they have becomes effectively worthless.

"It's probably just that they were trying to blackmail them," he said in an interview with CBC News.

"They had access to a certain amount of data, probably showed proof that they had this data, and most likely were trying to blackmail the banks [by] saying, 'We're going to release this or else we can work something out,'" he said.

David Masson, the country manager for Canada at cyberdefence firm Darktrace, said it's reasonable to suspect that the fraudsters were the same group at both banks. Based on what he's seen, Masson said, he suspects the attack was likely what's known as a "spear phishing" attack.

Unlike a so-called phishing attack, which targets people indiscriminately in the hope that someone will fall into the trap, a spear phishing attack is more closely targeted at individuals, using techniques to make them hand over crucial data.

Last year, more than two million PC Financial customers moved to CIBC, which rebranded the bank as Simplii. (CBC)

"They'll even pick people inside banks and financial institutions and aim their attack at them," he said. "Even if you get 99 per cent to be smart, it only takes one."

In its statement Monday, BMO said the fraudsters appear to have been operating outside Canada.

It's unclear where Simplii came up with the 40,000 figure, as that number represents a tiny fraction of the roughly two million customers the bank inherited when CIBC took over Simplii — at the time known as President's Choice Financial — from Loblaws last fall.

Simplii said its investigation is continuing, and it will continue to notify affected clients "through all channels" if it is determined they have been compromised.

Will return 100%

"We feel that it is important to inform clients so that they can also take additional steps to safeguard their information," Martin said.

"If a client is a victim of fraud because of this issue, we will return 100 per cent of the money lost from the affected bank account," the release said.

There is no indication that other CIBC customers are affected, Simplii said.

Later in the day, other major Canadian banks told CBC News that they were not affected by whatever hit the two banks, with Royal Bank, TD and Scotiabank all saying there is no indication that any of their customers have been affected.

Fraud and security intelligence expert Amanda Holden at software firm SAS said Canadian banks, on the whole, do a much better job than some other industries when it comes to preventing fraud, because they deal with it far more often.

"Banks are particularly cautious on this, because they have a financial risk," she said in an interview. "They're a huge target, because the criminals want money."

Different notice

Holden said that most often a bank's first warning of fraud often comes from consumers who notice suspicious activity and report it. Only then do the banks see any trends and identify common points of a breach, such as individual stores.

The hacks revealed Monday are different, because, at least in BMO's case, it's the hackers themselves who tipped the bank off.

Banks are caught in a tough spot on this issue, Holden said, because they are pulled between two competing forces: they want to make it easier to use technology to bank with them, but they don't want to open themselves up to more fraud.

"They're still doing work to figure out how to protect the front doors," she said.