Two Canadian banks confirmed on Monday that they have been contacted by ‘fraudsters’ claiming to have in their possession personal and financial information on tens of thousands of customers.
The Bank of Montreal (BMO) said in a brief statement that the data related to a “limited” number of customers, which some reports put as high as 50,000.
“We believe they originated the attack from outside the country. We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” it added.
The lender is working with the authorities and contacting those who may have been affected, advising customers to keep a close eye on their accounts for any potentially suspicious activity.
Simplii Financial, a subsidiary of the Canadian Imperial Bank of Commerce, was more transparent, revealing that around 40,000 customers may have been affected after it was contacted by fraudsters on Sunday, the same day as BMO.
It’s also investigating the claims and has also reached out to customers, urging them to monitor their accounts and to always use a complex password and PIN on their accounts, although this in itself is indicative that 2FA is not used by the bank as standard for customer authentication.
“We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, senior vice president at Simplii Financial. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”
It’s not clear whether the parties that contacted each bank were fraudsters or the hackers who initially breached the data.
James Lerud, head of the Verodin Behavioral Research Team, argued that if the data breach is genuine then the banks’ detection and prevention measures appear to have failed.
“Hats off to both banks for alerting the public, this was the right thing to do and takes a lot of power away from the hackers, but we shouldn't completely let them off the hook,” he added.
“Banks and other organizations we trust with sensitive information need to let the public know exactly how they are validating and improving defenses over time. Without a program to scientifically validate and improve controls, customers should find it hard to trust these entities with their valuable information.”