Skip to main content

A 2017 data breach that exposed personal information belonging to more than 113,000 Bank of Montreal customers exploited “significant weaknesses” in the bank’s safeguards that have since been strengthened, according to a report from the Privacy Commissioner of Canada.

BMO previously disclosed the breach in May, 2018, after receiving a ransom demand from hackers, who threatened to release private customer information if their demands weren’t met. The bank refused to pay. At the time, BMO said the attack likely compromised information belonging to fewer than 50,000 clients. In fact, the report says, two separate attacks managed to steal personal information belonging to 113,154 customers over a six-month span in 2017.

Simplii, a digital bank owned by Canadian Imperial Bank of Commerce, reported a breach at the same time, which was believed to be related. The intrusion exposed sensitive information belonging to as many as 40,000 customers.

The Office of the Privacy Commissioner launched an investigation after two BMO customers complained the bank had not adequately safeguarded their information. The probe found the attackers were able to sign into one online banking profile, then exploit a vulnerability in a page used to apply for products to retrieve unencrypted files from a cache that was intended to automatically fill in personal information on the application form. By programming a bot to cycle through random account numbers, they were able to steal customer data on a large scale.

Nearly 63,000 customers had their social insurance numbers and dates of birth stolen, and many also had account numbers, names, addresses and, in some cases, credit- or debit-card numbers exposed. The attackers also attempted some fraudulent electronic funds transfers.

The Privacy Commissioner found deficiencies in BMO’s developer security testing and evaluation, as well as its oversight and monitoring. The bank did not have any way of managing bot attacks. And because of gaps in its vulnerability testing, it failed to catch the unauthorized account breaches for six months.

“BMO has made a variety of significant improvements to its security posture since the breach … to resolve the safeguard deficiencies we identified in this report,” according to the Privacy Commissioner’s office, which considers the matter resolved.

A spokesperson for the bank, Paul Gammal, said BMO welcomes the Privacy Commissioner’s findings. “In early 2018, we proactively reached out to affected customers and worked with them to mitigate the risk of fraud and have compensated customers impacted by this incident,” he wrote in an e-mail.

In January, 2019, BMO launched a financial crimes unit to combat fraud and cyberthreats. The bank also hired an independent company to do a forensic analysis of the incident, but refused to share the findings with the Privacy Commissioner, which “complicated and delayed” the federal investigation, according to the report.

BMO first detected the attack in December, 2017, when its fraud team noticed an unusually high number of sign-in requests and fraudulent electronic money transfers, but at first the bank was unaware of how widespread the breach was. The hackers’ ransom e-mail demanded a $1-million payment made in cryptocurrency. The bank referred the matter to law enforcement. In response, the hackers posted information belonging to 3,190 BMO customers on public websites.

In September, 2020, the RCMP charged two people suspected of being responsible for the cyberattack, but the case has not yet been resolved.

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe