A Bank of Montreal sign is shown in the financial district in Toronto on Tuesday, August 22, 2017. BMO is warning that “fraudsters” from outside of the country may have accessed certain personal and financial information of some of its customers. The bank says that fraudsters contacted BMO on Sunday claiming to be in possession of certain data for a “limited number of customers” and it believes the attack was originated outside of Canada.THE CANADIAN PRESS/Nathan Denette

BMO and CIBC’s Simplii warn fraudsters may have accessed clients’ data

TORONTO — Two of Canada’s biggest banks warned Monday that up to 90,000 customers may have had certain personal and financial information compromised after “fraudsters” contacted both banks claiming to have obtained sensitive data.

The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers, however it did not elaborate on the type of data they accessed. The bank believes the attack originated from outside of Canada.

“We are conducting a thorough investigation,” spokesman Paul Gammal said in an emailed statement on Monday.

“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public. We are working with the relevant authorities,” he said. BMO did not say whether the attacker asked for money in an extortion attempt as they have done in other high-profile breaches.

Gammal said the two hacks appear to be related. Royal Bank, Scotiabank and Toronto-Dominion Bank said they have no indication they have been affected.

CIBC’s direct banking brand Simplii Financial also warned Monday that “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 clients. Simplii said it received a claim on Sunday that their clients’ data may have been accessed.

“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” said CIBC spokesman Tom Wallis in an emailed statement.

Wallis said he could not comment on whether the hackers had attempted to extort CIBC “except to say that it is our practice not to pay ransom demands as it encourage further fraudulent activity.”

Simplii has since implemented additional online security measures such as enhanced online fraud monitoring. The bank said there is no indication that clients who bank through CIBC have been affected.

Both BMO and CIBC said they will contact clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.

Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, according to ministry spokeswoman Jocelyn Sweet.

“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”

The Office of the Privacy Commissioner said Monday that it has been notified by both financial institutions, but that it is not launching a formal investigation at this point.

“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.

Financial institutions are attacked more than any other type of business or organization in the world, largely because the “bad guys are looking to make financial gain,” said David Masson, country manager for Canada with cybersecurity firm Darktrace.

It’s common for the target of a cyberattack to learn of the incident from someone outside of their organization, such as a customer, a third-party supplier, law enforcement officials or an intelligence service, he added.

“Or, and it’s not unusual, the bad guys run up and say, ‘Hey, we’ve got your stuff, give us your money or we’re going to disclose it’,” said Masson.

Consumers need to do their own due diligence after such an incident to limit any potential losses, said David Fewer, the director of the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

Consumers “should be concerned,” given the kind of details the banks have about their clients, he said.

“This is important financial information, and a lot of damage can occur… Even if it’s just account information, and not the more sensitive identity document information, for example, that’s still significant.”

Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.

In November, ride-sharing company Uber said hackers stole names, email addresses and mobile phone numbers of 815,000 Canadian riders and drivers as part of a worldwide data breach.

New federal data breach regulations that would require mandatory reporting of security breaches are set to take effect on Nov. 1.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible”. Previously, companies which had been hacked had been alerting the public on their own timeline.

Just Posted

Photos: Children enjoy petting animals near Red Deer Sunday

Children and families learned about various animals and birds at a petting… Continue reading

Search for missing Tofino boaters scaled back, handed over to RCMP

TOFINO, B.C. — Jae Valentine woke to the sound of wolves howling… Continue reading

Get ready for the ‘internet of cows’: Farmers use technology to shake up agriculture

MONTREAL — Get ready for the “internet of cows.” Generations of farmers… Continue reading

WATCH: Red Deer cadets conclude year of learning

After a year of hard work, Red Deer’s local Air and Army… Continue reading

WATCH: Central Alberta High School Soccer League champs crowned

Lindsay Thurber girls’ team and Notre Dame boys’ team won Saturday at Edgar Park Field in Red Deer

5 dead as SUV chased by Border Patrol crashes in South Texas

BIG WELLS, Texas — At least five people were killed and several… Continue reading

Ramifications of a trade war: an expert look at the numbers for Canada

OTTAWA — A new analysis of escalating trade disputes involving the United… Continue reading

Deliberate spill: study launched to test crude and bitumen impact on lake life

KENORA, Ont. — Researchers were in northwestern Ontario over the weekend spilling… Continue reading

Two-spirit N.B. First Nation chief says his election points to progress

FREDERICTON — The new leader of a New Brunswick First Nation said… Continue reading

Google diversity report: Black women make up only 1.2 percent of its US workforce

Google released its annual workforce diversity report Thursday, marking only modest changes… Continue reading

Brazil held to 1-1 draw by Switzerland at World Cup

ROSTOV-ON-DON, Russia — Brazil joined the list of big teams struggling to… Continue reading

Canada’s Auger-Aliassime wins Sopra Steria title for 2nd straight year

LYON, France — Canadian Felix Auger-Aliassime defended his ATP Challenger Sopra Steria… Continue reading

Police: Taxi driver who hit 8 Moscow pedestrians fell asleep

MOSCOW — The suspect in a taxi crash near Red Square that… Continue reading

Most Read


Five-day delivery plus unlimited digital access for $185 for 260 issues (must live in delivery area to qualify) Unlimited Digital Access 99 cents for the first four weeks and then only $15 per month Five-day delivery plus unlimited digital access for $15 a month