Two Montreal men have been charged by the RCMP with being cyberattacks against Canadian Tire, the Bank of Montreal and CIBC’s Simplii Financial bank in 2017 and 2018.

Jacob Costanzo-Peterson and FĂ©lix Costanzo-Peterson have been charged with unauthorized use of a computer, identity theft and possession of a device to obtain unauthorized use of computers as a result of a lengthy investigation, the Mounties said in a Sept. 4 news release.

Project “Arrogance” first began in February 2017 after Canadian Tire Corp. reported a cyber incident involving their customer loyalty rewards program. In May 2018, Project “Assemble” began after BMO and Simplii Financial reported cyber incidents into their computer systems.

The RCMP said in August 2018 it seized numerous pieces of evidence at two residences, including digital evidence and firearms. The evidence eventually allowed investigators to link the two attacks together, it said.

Six months after those seizures, the two were accused in a Quebec court on charges related to possession of prohibited firearms and weapons trafficking as part of these two investigations. But it took until now for police to lay charges in the cybersecurity incidents. A court date for the new charges is scheduled for Nov. 5

Organizations can be reluctant to call police after a cyberattack, either fearing bad publicity or that the hackers are out of the country and can’t be caught. In this case, Alexandre Beaulieu, who heads the RCMP Cybercrime Investigative Team at the force’s National Division, credited the three companies. “If it had not been for the valuable collaboration of these three companies, we would not have been able to bring these two individuals to justice. These partnerships are key in solving these types of crimes, which unfortunately sometimes go unreported.”

A look back …

In May 2018 IT World Canada reported that BMO and Simplii Financial (the direct banking division of CIBC) had received an email apparently from hackers demanding $1 million in cryptocurrency or stolen customer names and information would be publicly released.

In February 2017 Global News reported that Canadian Tire had begun warning its loyalty card customers of a data breach.