A 2018 hack and theft of millions of dollars from customers could cost two of Canada’s biggest banks a combined $23 million to settle class-action lawsuits from victims.
Ontario Superior Court Justice Robert Smith approved the settlement and disbursement of money last week of a potential $21.2 million for 113,151 Bank of Montreal victims, and $1.7 million for just over 10,000 victims of CIBC’s online Simplii Financial bank.
The BMO total is labelled “potential” because its settlement has a fixed portion (about $12 million) and a portion that victims can submit claims for time spent dealing with breach issues (that could reach $8.5 million if all conditions are met).
The Simplii Financial settlement differs in only offering fixed amounts for the various categories of victims.
The attacks cost the banks in other ways outside the settlements. BMO covered $6.85 million in fraudulent electronic money transfers from an unnamed number of customers, while CIBC covered $1.78 million for money stolen from 1,200 Simplii customers.
The decision also noted BMO spent about $5.45 million on credit monitoring and identity protection for just under 17,000 of its victims. CIBC also offered clients similar services. It doesn’t say how many took up the offer or what it cost the bank.
The decision says that CIBC gave 8,743 Visa gift cards, each worth $100 (totalling $874,300), to victims as an appreciation of the potential inconvenience from the attack.
That means the hack could cost BMO at least $28 million and CIBC almost $3 million in direct costs. This doesn’t include indirect costs such as time spent by their incident response and legal teams on investigations.
A Quebec court has yet to approve a settlement in a class action involving BMO only. That goes before a Quebec court on May 31.
Criminal charges against the two alleged perpetrators of the attacks, who demanded a ransom after copying and threatening to release customer data, are still before the courts in Quebec. According to news reports, the attackers demanded $1 million in cryptocurrency from each bank.
They are also charged with the 2017 hack of loyalty card accounts at Canadian Tire.
The judge wasn’t told how the banks’ security controls were breached.
IT World Canada asked the banks on Tuesday for comment on the causes of the breach. A spokesperson for Simplii replied in an email that the incident dates back to 2018 when a “limited number of Simplii Financial clients were affected. The issue was quickly identified and our teams worked around the clock to make it right for affected clients and protect them, including offering credit monitoring for two years at no cost. In the limited cases where a client’s account was affected, we fully reimbursed them at the time of issue.”
BMO didn’t get back to IT World Canada by press time.
Once word of the attack on the banks became public CBC News said the hackers claimed in their ransom messages to the banks that they were able to gain access to accounts in part by allegedly using what they described as a common mathematical algorithm designed to quickly validate relatively short numeric sequences to get bank account numbers. That allegedly allowed them to pose as authentic account holders who had simply forgotten their password to customer support.
They alleged that was apparently enough to allow them to reset backup security questions and answers, giving them access to people’s accounts.
According to Michael Robb of the Siskinds law firm, which represents some of the victims in the lawsuit, the settlement followed principles established in other class actions: Victims are divided into groups based on whether and what personal information was accessed and/or publicly disclosed.
They are then eligible for payments based on an agreed-upon flat fee (in these two cases $18 an hour) for a set rate of agreed time spent on their complaint and inconvenience.
For example, in the BMO settlement, a group whose sensitive personal information was posted online will be paid $1,000 each, plus they can claim up to 3.5 hours at $18 an hour for their time having to deal with issues.
A separate larger group whose sensitive data was accessed by the hackers but not published will be paid $144 each for the first eight hours of their time dealing with the breach, plus up to 3.5 hours for their time if they can certify spending at least eight hours on the case. Deducted from all payments, however, are certain legal fees.
BMO grouped their victims into four categories: Just over 59,750 whose personal information, including dates of birth and Social Insurance numbers, were accessed; 50,200 whose personal information was accessed but not their SIN numbers or dates of birth; and 3,190 people whose personal information including SIN numbers and dates of birth were accessed and posted online; and 3,566 people who could be members of the other three groups and also had money siphoned from their accounts.