[BreachExchange] At least 90, 000 Canadian bank customers may have been affected by two data breach

Destry Winant destry at riskbasedsecurity.com
Wed May 30 22:14:35 EDT 2018


On Monday, Two Canada’s five largest banks, the Bank of Montreal (BMO)
and Simplii Financial, informed their customers they are investigating
a data breach.

The security breach suffered by the Bank of Montreal (BMO) may have
impacted less than 50,000 of the overall 8 million customers, the
incident suffered by Simplii Financial may have exposed information of
40,000 clients.

“Two Canadian banks warned Monday they have been targeted by hackers,
and that the personal information of tens of thousands of customers
may have been stolen — something that appeared to be confirmed in a
letter to the media from someone who said they were demanding a
$1-million ransom from the banks.” reads the post published by CBC.

“CIBC-owned Simplii Financial was the first to warn on Monday morning
that hackers had accessed the personal and account information of more
than 40,000 of the bank’s customers.”

Exposed data allegedly includes social insurance numbers, dates of
birth, and financial information.

In both cases, hackers contacted the bank trying to blackmail them and
requested a $1 million ransom from each bank to avoid data disclosure.

BMO excluded the involvement of insiders, it has contacted authorities
and notified the incident to potentially affected customers.

“On Sunday, May 27, fraudsters contacted BMO claiming that they were
in possession of certain personal and financial information for a
limited number of customers.  We believe they originated the attack
from outside the country.” reads a press release published by BMO.

“We took steps immediately when the incident occurred and we are
confident that exposures identified related to customer data have been
closed off.  We have notified and are working with relevant
authorities as we continue to assess the situation.”

Simplii has not yet confirmed the data breach but informed customers
that it’s investigating the issue and has already implemented
“enhanced online fraud monitoring and online banking security

“Simplii Financial is advising clients that it has implemented
additional online security measures in response to a claim received on
Sunday, May 27, 2018 that fraudsters may have electronically accessed
certain personal and account information for approximately 40,000 of
Simplii’s clients.” states the security advisory published by the

“We’re taking this claim seriously and have taken action to further
enhance our monitoring and security procedures,” said Michael Martin,
Senior Vice-President, Simplii Financial.   “We feel that it is
important to inform clients so that they can also take additional
steps to safeguard their information.”

The bank has reassured its customers that any economic damage will be
fully reimbursed.

In addition, Simplii recommends that clients:

Always use a complex password and pin (e.g. not 12345)
Monitor their accounts for signs of unusual activity

At the time, we cannot exclude that hackers were able to obtain
customer data of the two Canadian Banks in other ways, for example
collecting them from other data breaches or by targeting customers
with spear phishing campaign.

More information about the BreachExchange mailing list