Canadian banks rarely acknowledge they’ve been involved in a cyber security incident. On Monday two of the country’s biggest retail banks reportedly suffered a data breach and are notifying customers.
Late Monday the CBC said several news services had received an email apparently from the hackers, who said they were demanding $1 million in cryptocurrency or customer names and information would be publicly released. CBC said to prove the legitimacy of the threat, the email included unencrypted customer names, social insurance numbers and answers to security questions that allegedly were stolen. The email also outlined how the attackers were able to breach bank defences.
According to the Globe and Mail, both banks were contacted Sunday by alleged perpetrators who claim to have accessed personal and account information belonging to tens of thousands of customers.
BMO hadn’t replied to a request for comment to ITWorldCanada.com at press time. But it tweeted out that it will be calling each potentially-impacted customer in the next 24 hours to offer complimentary monitoring, replace credit/debit cards, ensure all passwords get reset, and determine if there was any financial impact. The banks said it has also shut down access to customer accounts identified as potentially impacted by the breach. “Credit and debit Mastercard customers can still conduct chip and pin transactions, but customers with BMO Blue Debit-only cards will be unable to transact.”
Simplii Financial was launched last year as a new direct banking brand for people who want no-fee daily banking through online, mobile and telephone channels. It stemmed from the ending of CIBC’s partnership with Loblaws, where the bank created and ran the supermarket-based President’s Choice Financial.
In a notice on Simplii Financial’s website, senior vice-president Michael Martin said the bank has “implemented enhanced online security measures in response to a claim received on Sunday, May 27 that fraudsters may have electronically accessed certain personal and account information for some of our clients. ”
He urged clients always use a complex password and pin (eg. not 12345), and monitor their accounts for signs of unusual activity.
Clients who notice suspicious activity are encouraged to contact Simplii Financial. “If a client is a victim of fraud because of this issue, we will return 100 per cent of the money lost from the affected bank account.”
Generally, Canada’s retail banks are considered to be among the leaders in private sector cyber security here — although experts say given enough time and resources any organization on the planet can be hacked, and staff mistakes can open holes.
Earlier this year international advertising and marking media giant Havas released a 2017 cyber security survey of 1,500 Canadians it paid for. Just over half of respondents said their email accounts had been hacked, 33 per cent said social media accounts had been hacked and 18 per cent said online bank-related accounts had been hacked.
Last September National Bank said a website error may have exposed the personal information of nearly 400 of its customers, including their names, birthdates, phone number and email address. In 2008 the federal privacy commissioner investigated CIBC after it reported the disappearance of a hard drive with personal information of more than 400,000 current and former clients of a bank-run mutual fund. It had been sent from Montreal to Markham, Ont. The data wasn’t encrypted. Another hard drive that was shipped by a different route at the same time arrived. At the time of the report’s release there was there no confirmed evidence that personal information on the drive had been improperly accessed and misused.
Richard Fadden, former head of the Canadian Security Intelligence Service (CSIS) and national security advisor, told a conference earlier this month that unfortunately, major financial institutions here are close-mouthed in public about cyber incidents. “Banks in particular are afraid to admit anything they do is less than perfect,” he said. It would help spread the word about the importance of cyber security if they and telcos would open up more, he said.
That’s starting to change. In January, the Bank of Montreal’s chief ethics officer spoke at the Canadian Institute’s annual Privacy and Data Compliance Forum, as did the bank’s chief privacy officer. Last fall Louise Dadnonneau, director of cybersecurity services at Scotiabank, and a colleague talked to the SecTor conference about setting up a security incident playbook.
However, to Fadden’s point, they don’t talk publicly about cyber incidents and lessons learned.