Skip to main content

Bank of Montreal and online bank Simplii Financial have both disclosed apparent data breaches, warning that “fraudsters” claim to have accessed personal and account information belonging to tens of thousands of customers.

BMO, which is Canada’s fourth-largest bank, said the alleged hackers claim to have stolen sensitive information, likely belonging to fewer than 50,000 clients, and threatened to make that data public. The bank believes the attack originated outside Canada.

Simplii − a low-cost online bank owned by Canadian Imperial Bank of Commerce − also received notice of an alleged breach involving information for as many as 40,000 customers.

Both banks were contacted on Sunday by the alleged perpetrators, and revealed the apparent breaches Monday morning. The attacks appear to be related, a BMO spokesman said.

Also: CIBC profit climbs sharply despite cooling of mortgage growth

Canadian banks spend considerable resources to combat rising cyberthreats, and have been collaborating to head off attacks since at least 2000. There are recovery mechanisms in place in the event of an attack, and banks typically segregate data within their systems to control the scope of a successful breach.

But the urgency to protect critical institutions such as banks against cyberattacks has only intensified. Worldwide incidents such as the WannaCry ransomware attack in 2017, and this year’s disclosure by ride-sharing company Uber Technologies Inc. that a 2016 hack had exposed data belonging to hundreds of thousands of Canadians, have cast a spotlight on data-security concerns, and highlighted the damage a breach can do to customers’ trust.

BMO has a “thorough investigation” under way, according to spokesman Paul Gammal, and the bank has notified “all relevant authorities” as it assess the potential damage.

“We are confident that exposures identified related to customer data have been closed off,” Mr. Gammal said in an e-mail. “We are notifying customers who may have been impacted.”

The RCMP confirmed it “is actively looking into this matter with the collaboration of the affected banks,” but declined to comment further.

Simplii was launched last year and has about two million clients, most of whom are former President’s Choice Financial clients who were moved over to Simplii after CIBC, Canada’s fifth-largest lender, ended a two-decade partnership with Loblaw Cos. Ltd.

Simplii intends to reach out to customers who may be affected, and promises to fully reimburse any funds lost as a result of the fraud.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security measures,” spokeswoman Olga Petrycki said in an e-mail, adding: “We are investigating to determine the validity of the claims and the type of the information that may have been accessed.”

There is no indication that CIBC clients are affected by the breach. And the six other largest banks in Canada – Royal Bank of Canada, Toronto-Dominion Bank, Bank of Nova Scotia, National Bank of Canada, Laurentian Bank of Canada and Canadian Western Bank – confirmed there is no sign their customer data has been breached.

It is rare that a major Canadian bank would have customer data stolen, despite being regularly targeted. A recent survey by Ernst & Young LLP found that enhancing cyber and data security ranks as banks’ top priority for 2018. Developments in artificial intelligence and advanced analytics will help fend off attacks, the report suggests, but a “cybersecurity skills shortage” poses a challenge in the face of increasingly sophisticated attempts.

“I think financial institutions … are probably better prepared than most,” said Imran Ahmad, who leads the cybersecurity practice at law firm Miller Thomson LLP. “But this should serve as a bit of a wake-up call for other organizations.”

It’s also common wisdom that it’s likely impossible to stop every attack, and financial institutions make rich targets for hackers looking to steal data and make money. “It’s a business for them,” Mr. Ahmad said. “If they’re reaching out to the bank, it is most likely for financial gain.”

Both BMO and Simplii said it is their practice not to pay ransom demands as it encourages further fraudulent activity.

In recent days, two Simplii customers reached by The Globe and Mail discovered they had been locked out of their accounts, and that fraudulent e-mail transfers had been sent using their funds.

Jennifer Gaudet, a Simplii client in Ottawa, couldn’t log in on Friday or Saturday, and didn’t recognize the security questions used to verify her account. She reset them, but encountered the same problem the next day. When she contacted Simplii, she learned her account had been frozen, but not before an e-mail transfer using $2,889 of her funds was sent to a fraudulent e-mail address.

Ms. Gaudet now has a new account to replace the one that was compromised, but has been told it could take seven to 10 days to reimburse the $2,889 she lost, as well as a $3.50 fee for cancelling the e-transfer.

“I am very worried about how much information this hacker could have. Does he have my home address, my date of birth?” Ms. Gaudet said in an e-mail. “I feel violated by the whole situation.”

The Office of the Privacy Commissioner of Canada has been notified and is working to understand what the banks ”are doing to mitigate the situation,” a spokesperson said.

Report an error

Editorial code of conduct

Tickers mentioned in this story