• United States



2 Canadian banks hacked, 90,000 customers’ data stolen

May 29, 20183 mins
CyberattacksData BreachHacking

Two of Canada's largest banks, Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial, confirmed hackers stole the personal and financial data of thousands of customers.

thinkstockphotos canada flag
Credit: frwooar/Thinkstock

Canada’s fourth and fifth largest bank confirmed that “fraudsters” stole the personal and financial information of some of the banks’ customers. Between the two banks, an estimated 90,000 customers have been affected.

Bank of Montreal breach

The Bank of Montreal (BMO), Canada’s fourth largest bank, issued the following statement confirming the breach:

On Sunday, May 27, fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers. We believe they originated the attack from outside the country. We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation. 

The bank is in the process of contacting affected customers and urged customers to monitor their accounts for any suspicious activity.

A spokesman for the bank told Reuters that “it believed that less than 50,000 of the bank’s 8 million customers across Canada were hacked. He declined to say if any customers lost money as a result of the attack.” The spokesman added that the attackers threatened to make the data public.

Simplii Financial breach

Simplii Financial, a subsidiary of the Canadian Imperial Bank of Commerce, Canada’s fifth largest bank, also confirmed on Sunday that “fraudsters” claimed to have “electronically accessed certain personal and account information for approximately 40,000 of Simplii’s clients.”

The bank implemented “enhanced online fraud monitoring and online banking security measures” and is investigating and verifying the accuracy of the hackers’ claims. Simplii said it intends to reach out to affected customers but urged all customers to use a complex password and PIN as well as monitor their accounts for suspicious activity.

Furthermore, there is “no indication” that clients of the main Canadian Imperial Bank of Commerce were impacted.

Simplii did not mention if attackers threatened to leak the stolen data to the public like in the case of the Bank of Montreal.

Why weren’t banks using enhanced online security measures all along?

The Canadian Bankers Association told Bloomberg, “This past weekend’s cyber security incident is an extremely rare occurrence for Canadian banks, which are known for their leading cyber-security practices. The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers.”

Yet Dr. Ann Cavoukian, the former privacy commissioner of Ontario, told the Financial Post, “When you’re dealing with financial information, you should have the highest level of privacy protection possible.”

Granted, both banks did take steps to enhance online security measures after being contacted by the attackers, but Cavoukian asked, “The question that begs is why weren’t you engaging in those measures all along?”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.