Bank of Montreal and Simplii Financial are grappling with the fallout from apparent data breaches that may have exposed sensitive personal and financial information belonging to tens of thousands of customers.
A day after both banks revealed that as many as 90,000 total customers may be affected, both banks were still working to contact customers whose data may have been stolen, freeze accounts at risk of further fraud and reimburse fraudulent transactions.
Alleged “fraudsters” contacted BMO and Simplii on Sunday, claiming to have accessed the data, and “a threat was made,” according to a BMO spokesperson. The banks revealed the breaches on Monday morning and have begun reaching out to affected clients. But many customers are still confused about how to access their banking, waiting for lost funds to be returned, and left wondering whether their personal data leave them vulnerable to further fraud.
“We are proactively contacting customers and taking all available means to protect their accounts, including blocking online and mobile access to accounts that may have been impacted, personally calling each impacted customer, as well as offering them free credit monitoring,” BMO spokesman Paul Gammal said in an e-mail.
BMO, which is Canada’s fourth-largest bank, said customers whose online accounts have been blocked by the bank can visit a branch or use telephone banking in the meantime, and that most debit cards are still working. For an online bank such as Simplii, the solution isn’t so simple, but customers who can’t access their accounts online can still use ATMs or access cash from some merchants.
On Saturday night, Will Lochner, a Simplii customer and student from Ayr, Ont., received a notification that someone he didn’t recognize had accepted a $485 e-transfer that he didn’t send. He contacted Simplii, changed his password and was issued a new bank card. His complaint is being investigated, but he has yet to receive the new card. Fortunately, he works a farm job that pays in cash, and “I’m kind of just going off the cash right now,” he said. “It’s been a bit confusing, to be honest.”
Both BMO and Simplii have promised to reimburse customers for funds lost through unauthorized transactions arising from the data breaches. “Customers will not lose money from this,” Mr. Gammal said.
Yet some clients have waited days and still don’t know when they will be reimbursed for transactions that, in some cases, total thousands of dollars.
Matthew Smith has banked with Simplii, which is owned by Canadian Imperial Bank of Commerce and was formerly part of President’s Choice Financial, for more than a decade. But last Thursday, he was unable to log in to his accounts and the safety questions to recover his password had been changed. When he reached Simplii, he was told his account was flagged for suspicious activity: Two e-mail money transfers, each for $1,500, had been sent to recipients he’d never heard of.
Mr. Smith was told on Thursday that he would be reimbursed in one to two business days, but the funds haven’t arrived. “I’m quite unhappy about the whole situation,” he said. “We’re trusting these banks with so much of our information and I don’t feel the way they’ve handled this whole thing has been very good.”
Mr. Smith’s experience is typical of an apparent pattern in the instances of fraud reported by customers who believe their data have been exposed: The user is unable to log in, the account’s security questions have been changed and unauthorized e-transfers have been sent without their knowledge.
Simplii spokesperson Olga Petrycki said in a statement that the bank is offering support to those who’ve been affected, and has a “dedicated team” working to remedy clients’ issues.
“Simplii is extending free credit monitoring to impacted clients and we are committed to returning 100% of any money lost from affected accounts as a result of this issue. We are also replacing affected clients’ bank cards and taking additional steps to monitor and protect our clients,” she said.
The alleged hackers’ apparent ability to take control of numerous accounts and move money electronically speaks to the sensitivity of the data that have allegedly been stolen.
“There are categories of information which are more valuable,” said Imran Ahmad, a lawyer who leads the cybersecurity practice at Miller Thomson LLP. “ If you steal somebody’s credit card information, that’s typically a very short shelf life and relatively easy to fix. If you steal somebody’s full identity by getting access to their [social insurance number], their banking details and can build a virtual profile, that identity theft can take a very long time … to correct or to fix.”
On Monday, a Facebook post from an account claiming to represent the alleged hackers included a link to a website that seemed to contain several hundred people’s private banking information. The entries included names, account numbers, dates of birth and social insurance numbers, among other data. The page was removed later that day by the site’s administrator.