A pair of Canadian banks reported on May 28 that they are investigating alleged data breaches that could impact up to 90,000 consumers.
The Canadian Imperial Bank of Commerce’s (CIBC) Simplii Financial division reported that approximately 40,000 of its customers are at risk, while in a separate incident the Bank of Montreal (BMO) said 50,000 of its customers were potentially exposed in a breach. Currently, it’s not clear how the data breaches occurred and for how long the information was exposed.
“On Sunday, May 27, fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers,” BMO wrote in a statement. “We believe they originated the attack from outside the country.”
CIBC’s Simplii Financial issued a similar statement, noting that on May 27 it too received a claim from hackers that they had accessed personal information on clients.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” Michael Martin, senior vice president at Simplii Financial, stated.
The alleged attackers sent a letter to multiple Canadian media outlets on May 27, claiming that the two banks had until 11:59 p.m. ET to pay a $1 million ransom or the information would be publicly disclosed. The banks did not pay the ransom, and the alleged attackers sent a sample of the information to media outlets including the CBC, which verified that some of the information was accurate. The information included names, account balances, dates of birth and the answers to three security questions needed to validate the account owner.
Remediation
Neither BMO nor CIBC indicated in their respective disclosures how the data was obtained by the attackers. Both banks did note that they have taken steps to limit additional risk.
“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” BMO stated.
Both banks recommend that customers be vigilant and check banking statements for any irregularities or indicators of potential fraud. CIBC also recommended that customers make sure they use a complex password in order to access account information.
Industry Reaction
Mukul Kumar, chief information security officer and vice president of Cyber-Practice at Cavirin, said the breach at the Canadian banks is somewhat disturbing.
“You think of traditional credit card and bank breaches, and it has mostly been credit card information,” Kumar told eWEEK. “But this is deeper financial information.”
Kumar said that the big question with these incidents is if this is a breach of the bank or a breach via other means. He added that it’s imperative that the banks understand where the threat came from, as the data that was stolen included Social Security numbers (SSN), dates of birth and other personally identifiable information.
“In the U.S., members of Congress have called for more secure forms of identification,” Kumar said. “We’re at the point now where we need to do more work with post-SSN identification and how it can be better secured.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.