Skip to main content

Bank of Montreal and online bank Simplii Financial have both disclosed apparent data breaches, warning that “fraudsters” claim to have accessed personal and account information belonging to tens of thousands of customers.

BMO, which is Canada’s fourth-largest bank, said the alleged hackers claim to have stolen sensitive information, likely belonging to fewer than 50,000 clients, and threatened to make that data public. The bank believes the attack originated outside Canada.

Simplii − a low-cost online bank owned by Canadian Imperial Bank of Commerce − also received notice of an alleged breach involving information for as many as 40,000 customers.

Story continues below advertisement

Both banks were contacted on Sunday by the alleged perpetrators, and revealed the apparent breaches Monday morning. The attacks appear to be related, a BMO spokesman said.

Also: CIBC profit climbs sharply despite cooling of mortgage growth

Canadian banks spend considerable resources to combat rising cyberthreats, and have been collaborating to head off attacks since at least 2000. There are recovery mechanisms in place in the event of an attack, and banks typically segregate data within their systems to control the scope of a successful breach.

But the urgency to protect critical institutions such as banks against cyberattacks has only intensified. Worldwide incidents such as the WannaCry ransomware attack in 2017, and this year’s disclosure by ride-sharing company Uber Technologies Inc. that a 2016 hack had exposed data belonging to hundreds of thousands of Canadians, have cast a spotlight on data-security concerns, and highlighted the damage a breach can do to customers’ trust.

BMO has a “thorough investigation” under way, according to spokesman Paul Gammal, and the bank has notified “all relevant authorities” as it assess the potential damage.

“We are confident that exposures identified related to customer data have been closed off,” Mr. Gammal said in an e-mail. “We are notifying customers who may have been impacted.”

The RCMP confirmed it “is actively looking into this matter with the collaboration of the affected banks,” but declined to comment further.

Simplii was launched last year and has about two million clients, most of whom are former President’s Choice Financial clients who were moved over to Simplii after CIBC, Canada’s fifth-largest lender, ended a two-decade partnership with Loblaw Cos. Ltd.

Story continues below advertisement

Simplii intends to reach out to customers who may be affected, and promises to fully reimburse any funds lost as a result of the fraud.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security measures,” spokeswoman Olga Petrycki said in an e-mail, adding: “We are investigating to determine the validity of the claims and the type of the information that may have been accessed.”

There is no indication that CIBC clients are affected by the breach. And the six other largest banks in Canada – Royal Bank of Canada, Toronto-Dominion Bank, Bank of Nova Scotia, National Bank of Canada, Laurentian Bank of Canada and Canadian Western Bank – confirmed there is no sign their customer data has been breached.

It is rare that a major Canadian bank would have customer data stolen, despite being regularly targeted. A recent survey by Ernst & Young LLP found that enhancing cyber and data security ranks as banks’ top priority for 2018. Developments in artificial intelligence and advanced analytics will help fend off attacks, the report suggests, but a “cybersecurity skills shortage” poses a challenge in the face of increasingly sophisticated attempts.

“I think financial institutions … are probably better prepared than most,” said Imran Ahmad, who leads the cybersecurity practice at law firm Miller Thomson LLP. “But this should serve as a bit of a wake-up call for other organizations.”

It’s also common wisdom that it’s likely impossible to stop every attack, and financial institutions make rich targets for hackers looking to steal data and make money. “It’s a business for them,” Mr. Ahmad said. “If they’re reaching out to the bank, it is most likely for financial gain.”

Story continues below advertisement

Both BMO and Simplii said it is their practice not to pay ransom demands as it encourages further fraudulent activity.

In recent days, two Simplii customers reached by The Globe and Mail discovered they had been locked out of their accounts, and that fraudulent e-mail transfers had been sent using their funds.

Jennifer Gaudet, a Simplii client in Ottawa, couldn’t log in on Friday or Saturday, and didn’t recognize the security questions used to verify her account. She reset them, but encountered the same problem the next day. When she contacted Simplii, she learned her account had been frozen, but not before an e-mail transfer using $2,889 of her funds was sent to a fraudulent e-mail address.

Ms. Gaudet now has a new account to replace the one that was compromised, but has been told it could take seven to 10 days to reimburse the $2,889 she lost, as well as a $3.50 fee for cancelling the e-transfer.

“I am very worried about how much information this hacker could have. Does he have my home address, my date of birth?” Ms. Gaudet said in an e-mail. “I feel violated by the whole situation.”

The Office of the Privacy Commissioner of Canada has been notified and is working to understand what the banks ”are doing to mitigate the situation,” a spokesperson said.

Report an error Editorial code of conduct
Tickers mentioned in this story
Unchecking box will stop auto data updates
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter