Two of Canada’s largest retail banks have announced that customer data may have been accessed by hackers, and details disclosed by the alleged perpetrators seem to confirm that a breach has occurred.
Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce (CIBC)’s online bank Simplii Financial both say they were contacted on Sunday by individuals claiming that some of their customers’ data, including both personal and financial information, had been accessed. In both cases fewer than 50,000 accounts are believed to have been affected.
“Yesterday, we became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public,” said a spokesperson for BMO. “We are working with the relevant authorities and are conducting a thorough investigation.”
The spokesperson also suggested that the two cases may be linked, given the similarities and the timing. Both banks said that they are investigating the validity of these claims, have implemented additional security measures, and will be reaching out to any customers whose data may have been accessed.
We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public. We are working with the relevant authorities and are conducting a thorough investigation.
– Spokesperson, Bank of Montreal
Several Canadian news agencies later received emails which claimed to be from the hackers, who said that they were asking for a payment of one million Canadian dollars in cryptocurrency to keep the data private.
To back up their claims, the emails contained customer names, social insurance numbers and answers to security questions. CBC News contacted several of the individuals whose details were leaked in the email and elsewhere online, and received confirmations that the information was legitimate.
The emails also described how the hackers were able to access the data. According to the email, they were able to gain partial access to accounts by using an algorithm designed to validate short numeric sequences such as credit card and social insurance numbers.
Having used this algorithm to get account numbers, they say they were able to use the ‘forgot password’ process to reset security questions and answers. “They were giving too much permission to half-authenticated account,” the alleged hackers said, because the bank “was not checking if a password was valid until the security question were input correctly.”
Online access to at-risk accounts has been blocked, which in some cases means certain customers are unable to make transactions by any means. Some customers have received notifications of unauthorised transactions which may be related to the alleged breaches, some of which total thousands of dollars.
Both banks have reassured customers that any stolen funds will be returned, though the Globe and Mail reports that several customers had not been reimbursed within the time frame they were told to expect.
Neither bank has explicitly commented on whether or not they paid the ransom, but a spokesperson for BMO told CBC News that “Our practice is not to make payments to fraudsters” and a Simplii spokesman told Information Security Media Group that “it is our practice not to pay ransom demands.”
As well as the fraudulent transactions, the threat to go public with the information appears to have been followed through on, with a Facebook account claiming to represent the hackers posting a link to a site which seemed to contain several hundred people’s private banking information. The data posted on the site included names, account numbers, dates of birth and social insurance numbers, along with other information.
Former Ontario privacy commissioner Dr. Ann Cavoukian commented that the incident was “a real eye-opener” and criticised the banks’ reference to implementing additional security measures, questioning why these measures had not already been in place.