Fraudsters contacted two Canadian banks claiming they stole tens of thousands of customers’ personal and account information.
Simplii Financial, the direct banking brand for the Canadian Imperial Bank of Commerce (CIBC), disclosed on 28 May that fraudsters had contacted CIBC a day earlier and claimed to have stolen the information belonging to 40,000 customers. The bank subsequently launched an investigation into the incident to determine the veracity of the fraudsters’ tip. It also implemented additional security measures including enhanced online fraud monitoring tools on its systems.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Simplii Financial’s senior vice-president Michael Martin, as quoted in a news release. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”
Later that day, the Bank of Montreal (BMO) confirmed in its own statement that it had received a similar warning from fraudsters on 27 May about a potential hack against its systems. A spokesperson for the bank said that the attack possibly affected 50,000 customers, reported Reuters. In response, BMO restricted access to all potentially affected customers’ accounts.
A notice published by the bank revealed that BMO is in the process of working with those customers to reissue payment cards, change passwords and take additional steps to protect their accounts.
It’s unclear whether the two attacks were connected at the time of publication.
Several hours later on 28 Monday, multiple media outlets in Canada received a letter from someone purporting to have stolen customers’ information from both CIBC and BMO. They wrote how they intended to sell the data unless both banks paid one million dollars by 11:59 p.m. that night. The letter said that criminals could use the stolen information to “apply for products credit using social insurance number, date of birth and all other personnal[sic] info,” as reproduced by Canadian Broadcasting Company (CBC).
Jérôme Segura, lead malware intelligence analyst at Malwarebytes, said he wasn’t so sure. He explained that the individual negated the value of any stolen information by reaching out to the banks. As CBC quoted:
It’s probably just that they were trying to blackmail them. They had access to a certain amount of data, probably showed proof that they had this data, and most likely were trying to blackmail the banks [by] saying, ‘We’re going to release this or else we can work something out.’
While they continue their investigations, CIBC and BMO advised customers to pay close attention to their accounts for unauthorized transactions and to reach out if they spot anything suspicious.
News of these potential hacks follows less than two weeks after the world learned of a software vulnerability that likely caused a hack through which criminals transferred more than 300 million pesos (over US $15 million) out of Mexican banks.