Cybercrime , Data Breach , Fraud
Fraudsters Claim Breach of 90,000 Bank of Montreal and Simplii Accounts(euroinfosec) • May 30, 2018
Bank of Montreal branch in Montreal (Photo: Can Pac Swire via Flickr/CC)Two of Canada's biggest banks are investigating claims by attackers that they accessed personal data for tens of thousands of their customers.
See Also: How to Keep Your Endpoints Safe from Cybercrime
Both the Bank of Montreal, operating as BMO Financial Group, and Simplii Financial, a banking subsidiary of the Canadian Imperial Bank of Commerce, said they received reports on Sunday that client information had been compromised. BMO and CIBC are respectively Canada's fourth and fifth largest banks, by assets.
Bank of Montreal suspects that 50,000 of its 8 million Canadian clients' personal and account information may have been accessed, according to a statement issued by BMO Financial Group.
Meanwhile, Simplii Financial said in a statement that it's been alerted that about 40,000 of its 2 million clients' personal and account information may have been accessed. It says there are no signs that anyone who banks with CIBC was affected.
Both banks say they're investigating the alleged data exposure; neither has yet to confirm whether it believes the information was indeed accessed, or whether it has been able to debunk those claims.
But both banks say they are directly contacting all customers that they believe may have been affected.
Bank of Montreal Investigates
BMO says it was contacted by "fraudsters" on Sunday who claimed "that they were in possession of certain personal and financial information for a limited number of customers."
The bank says it believes that the attackers were operating from outside Canada. "We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO says.
BMO didn't immediately respond to a request for comment about whether attackers demanded the bank pay a ransom.
But a spokesman for BMO told Reuters that the attackers had threatened to publicly release the allegedly stolen information and said the bank was working with authorities to investigate the alleged exposure of 50,000 customers' personal data.
Notification: Bank of Montreal Customers
BMO notification to customers on its websiteBMO has a nonspecific alert on its homepage that reads: "Your security is our priority." It links to a security notice in which the bank says: "We received a claim that fraudsters gained access to certain personal and financial information for some of our customers."
The notice also notes: "We are calling each potentially impacted customer to offer complimentary credit monitoring, replace cards, ensure all passwords get reset, and determine if there was any financial impact. Customers will not lose money from this incident, as we will fully reimburse our customers for any financial impact of unauthorized transactions."
The bank says that customers with chip-and-PIN debit or credit cards can continue to use those cards, even if their accounts were potentially affected by the breach.
Unlike the United States, which standardized on chip-and-signature cards, Canada has followed Europe's lead and put in place chip-and-PIN cards, which can only be used at a point of purchase if the cardholder enters a four-digit PIN.
Information security experts point to chip and PIN as being the more secure approach. But in the U.S., many card issuers worried that requiring PINs would lead consumers to use their payment cards less often.
Simplii Financial Investigates
Simplii said it has "implemented additional online security measures in response to a claim ... that fraudsters may have electronically accessed certain personal and account information for approximately 40,000 of Simplii's clients."
"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," said Michael Martin, a senior vice president at Simplii Financial, in a statement. "We feel that it is important to inform clients so that they can also take additional steps to safeguard their information."
The bank's investigation continues. "We are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests," a spokesman tells Information Security Media Group. "While the issue affects a limited number of individuals, we are providing updates to all Simplii clients through social media, Simplii.com and via email messages. We are also reaching out directly to clients who may have been impacted."
The spokesman declined to comment on whether attackers were holding the allegedly stolen information for ransom, "except to say that it is our practice not to pay ransom demands."
Notification: Simplii Customers
Simplii alert to customers on its websiteSimplii Financial is also displaying an alert to all visitors to its website saying it is investigating a report, received Sunday, that attackers accessed some of its clients' data.
"We are reaching out to those that have been affected to offer support," the bank says in its alert. "Simplii is extending free credit monitoring to impacted clients and we are committed to returning 100 percent of any money lost from affected accounts as a result of this issue." The bank said it's also replacing cards for affected clients and keeping a close eye on their accounts for signs of fraud.
"We have a dedicated team that is working to make this right for our clients," the bank says.
Bank of Canada Seeks Better Resiliency
The Bank of Canada, the country's central bank, recently launched a new cybersecurity initiative in collaboration with the country's six biggest banks.
The program is designed "to test and enhance the cyber resilience of the wholesale payments ecosystem," Filipe Dinis, chief operating officer of Payments Canada, which operates the country's payment clearing and settlement system, in a speech earlier this month.
"The goal is to have a rapid, collaborative approach to recovery should a key participant be affected by a serious cybersecurity event, such as the corruption of critical data that results in a prolonged operational outage," said Dinis, who's leading the project.
Executive Editor Jeremy Kirk also contributed to this report.