BMO and CIBC-owned Simplii Financial reveal hacks of customer data

Two Canadian banks warned Monday they have been targeted by hackers, and that the personal information of tens of thousands of customers may have been stolen something that appeared to be confirmed in a letter to the media from someone who said they were demanding a $1-million ransom from the banks.

CIBC-ownedSimplii Financial was the first to warn on Monday morningthat hackers had accessed thepersonal and account information of more than 40,000 of the bank's customers.

The bank said it received a tip over the weekend that hackers had obtained the data, and after a preliminary investigation decided to go public on Monday.

"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," the bank's senior vice-presidentMichael Martin said in a statement.

Then later Monday morning, Bank of Montreal revealed that it, too, had received a tip that "fraudsters" had stolen data on up to 50,000 of the bank's customers, "and a threat was made to make it public," BMO spokesperson Paul Gammal said.

In BMO's case, at least, the tipsters were the hackers themselves.

"We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,"BMOsaid.

Someone claiming to have the stolen data sent a letter to media outlets across Canada later in the day, threateningto sell the information to "criminals" if the banks do not pay a $1-million ransom by 11:59 p.m.

"Criminals will use Simplii and BMO client informations to apply for products credit using social insurance number, date of birth and all other personnal info," the letter said.

The email ended with a sample of the information in question: the names, dates of birth, SIN and account balances of an Ontario man and a woman living in B.C.

The woman, who asked not to be named, confirmed when contacted by CBCNews that the information in the email, which also included the answers to her three security questions,was accurate.

"Holy shit," she said. "I'm very upset about this How could this happen?"

Outside Canada

"We have notified and are working with relevant authorities as we continue to assess the situation. We are proactively contacting those customers that may have been impacted and we will support and stand by them,"BMOsaid.

When asked whether the hackers themselves were the ones who tipped off the bank over the weekend, Simplii did not expand on its initial statement.

Michael McCarthy of Edmonton told CBC News that a fraudulent transfer for $980 was sent from his Simplii Financial account on Saturday

"The bank said they blocked it, but it still hasn't been reversed," he said, adding that the bank hasn't told him when it will be corrected.

"My biggest concern is around my personal information in someone else's hands."

McCarthy saidSimpliiis issuing him a new bank card, but because the company is not a bricks-and-mortar institution, they're going to mail the new card, which is expected totake four to seven days to arrive. In the meantime, he can't access his money.

Unusual approach

Cybersecurity researcherJrme Segurawith MalwareBytesLabs says it's very unusual for hackers themselves to tip off the company, because the moment they do, whatever information they have becomes effectively worthless.

"It's probably just that they were trying to blackmail them," he said in an interview with CBC News.

"They had access to a certain amount of data, probably showed proof that they had this data, and most likely were trying to blackmail the banks [by] saying, 'We're going to release this or else we can work something out,'" he said.

David Masson, the country manager for Canadaat cyberdefencefirm Darktrace, saidit's reasonable to suspect that the fraudsterswere the same group at both banks. Based on what he's seen, Masson said, he suspects the attack was likely what's known as a "spear phishing" attack.

Unlike a so-called phishingattack, which targets people indiscriminately in the hope that someone will fall into the trap, a spear phishing attack is more closelytargeted at individuals, using techniques to make themhand over crucial data.

"They'll even pick people inside banks and financial institutions and aim their attack at them," he said. "Even if you get 99 per cent to be smart, it only takes one."

In its statement Monday, BMOsaidthe fraudsters appearto have been operating outside Canada.

It's unclear where Simplii came up with the 40,000 figure, as that number represents a tiny fraction of the roughly twomillion customers the bank inherited when CIBCtook overSimplii at the time known as President's Choice Financial from Loblawslast fall.

Simplii said its investigation is continuing, and it will continue to notify affected clients "through all channels" if it is determined they have been compromised.

Will return 100%

"We feel that it is important to inform clients so that they can also take additional steps to safeguard their information," Martin said.

"If a client is a victim of fraud because of this issue, we will return 100 per centof the money lost from the affected bank account," the release said.

There is no indication that other CIBCcustomers are affected, Simplii said.

Later in the day, other major Canadian banks told CBCNews that they were not affected by whatever hit the two banks, with Royal Bank, TD and Scotiabankall saying there is no indication that any of their customers have been affected.

Fraud and security intelligence expertAmanda Holden at software firm SAS said Canadian banks, on the whole, do a much better job than some other industries when it comes to preventing fraud, because they deal with it far more often.

"Banks are particularly cautious on this, because they have a financial risk," she said in an interview. "They're a huge target, because the criminals want money."

Different notice

Holden said that most oftena bank's first warning of fraud often comes from consumerswho notice suspicious activity and report it. Only then do the banks see any trends and identify common points of a breach, such as individual stores.

The hacks revealed Monday are different, because, at least in BMO's case, it's the hackers themselves who tipped the bank off.

Banks are caught in a tough spot on this issue, Holden said, because they are pulled between two competing forces: they want to make it easier to use technology to bank with them, but they don't want to open themselves up to more fraud.

"They're still doing work to figure out how to protect the front doors," she said.