On Monday, Two Canada’s five largest banks, the Bank of Montreal (BMO) and Simplii Financial, informed their customers they are investigating a data breach.

The security breach suffered by the Bank of Montreal (BMO) may have impacted less than 50,000 of the overall 8 million customers, the incident suffered by Simplii Financial may have exposed information of 40,000 clients.

“Two Canadian banks warned Monday they have been targeted by hackers, and that the personal information of tens of thousands of customers may have been stolen — something that appeared to be confirmed in a letter to the media from someone who said they were demanding a $1-million ransom from the banks.” reads the post published by CBC.

“CIBC-owned Simplii Financial was the first to warn on Monday morning that hackers had accessed the personal and account information of more than 40,000 of the bank’s customers.”

Exposed data allegedly includes social insurance numbers, dates of birth, and financial information.

In both cases, hackers contacted the bank trying to blackmail them and requested a $1 million ransom from each bank to avoid data disclosure.

BMO excluded the involvement of insiders, it has contacted authorities and notified the incident to potentially affected customers.

“On Sunday, May 27, fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers.  We believe they originated the attack from outside the country.” reads a press release published by BMO. 

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off.  We have notified and are working with relevant authorities as we continue to assess the situation.” 

Simplii has not yet confirmed the data breach but informed customers that it’s investigating the issue and has already implemented “enhanced online fraud monitoring and online banking security measures.”

“Simplii Financial is advising clients that it has implemented additional online security measures in response to a claim received on Sunday, May 27, 2018 that fraudsters may have electronically accessed certain personal and account information for approximately 40,000 of Simplii’s clients.” states the security advisory published by the bank.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, Senior Vice-President, Simplii Financial.   “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

The bank has reassured its customers that any economic damage will be fully reimbursed.

In addition, Simplii recommends that clients:

  • Always use a complex password and pin (e.g. not 12345)
  • Monitor their accounts for signs of unusual activity

At the time, we cannot exclude that hackers were able to obtain customer data of the two Canadian Banks in other ways, for example collecting them from other data breaches or by targeting customers with spear phishing campaign.

Pierluigi Paganini