Recently some of my colleagues have been wondering about the hack of customer data from at least two Canadian banks. The story evolved over a number of days in May and was actually reported by the institutions involved, something that may have muted public reaction to the news.
Canadian banks, for the most part, have avoided data theft and events collectively described as hacking. That’s a good thing. Until now.
What is not good news in this instance is the way that the bank data was acquired, not to mention the scope of that data.
Furthermore, it is true that some of the stolen data, very detailed at that, including names, addresses, social insurance numbers, and security questions, was for a time posted in a publicly accessible location.
Such data is perfect for identity theft. You don’t really need anything else to set up phony accounts with that sort of data. It’s possible we may once again see some property title transfer attempts with this data.
At the moment it appears that the banks involved (BMO and Simplii – an offshoot of CIBC) are either notifying affected customers or freezing their accounts.
Although the banks say the number of affected accounts is small, the nature of the hack suggests it likely was used, or at least attempted, at other institutions as well. For now we don't know the true scope of the attack.
What can you do? Well, you could check if your account is accessible. If it is not then it likely has been frozen. So far, the banks involved have said they will cover all losses incurred by the attack. However, with the data that was stolen the potential effects extend far beyond a bank account.
Sadly, coinciding with this incident you will start to see phishing emails pretending to be helping with the problem. That’s typically the case. Scammers know how to make money from other scams and from events that capture the public’s attention.
Both CIBC and BMO were quick to assure their customers that any losses incurred in the attack would be completely reimbursed by the banks. In a letter to all Simplii Financial customers, senior vice-president Michael Martin sought to reassure clients by noting that new safety procedures had been put in place and that the company was working with outside agencies, including law enforcement.
Oddly, Simplii’s note suggested that customers use a complex password and PIN, although in this case that would have made no difference as the bank’s own procedures essentially allowed the hackers to bypass the password by using a password reset request.
Clearly the big banks have been spooked by this incident. Canadian banks have essentially been money-making machines the past number of years, with quarterly profits typically in the billion-dollar range. Management surely doesn’t want this scam, which appears to have hit around 100,000 accounts, to affect that long-term profit trend.
Hence the “we’ll reimburse you” messaging. Any loss of confidence in the Canadian banking sector would quickly cut into those massive profits. However, let’s be clear, the banks are only offering to cover money diverted from their bank accounts. Any additional impact from the theft of all that valuable personal data is not being covered.
Why exactly did the hackers decide to post customer data on publicly accessible sites? It seems that the intent was to have the affected banks pay a ransom. When both banks declined, the hackers posted a small subset of account and customer data and then notified certain media outlets of the action. That led some investigative journalists to check on a small number of the accounts, thereby confirming directly with customers that the data was in fact correct.
In some cases the customers on the list confirmed that indeed there had been suspicious transfers of funds out of their accounts.
A link to the digital currency wallet that scammers are using to collect ransom payments, and perhaps direct account thefts, showed several million dollars on deposit at the end of May.
Cybersecurity analyst Dominic Vogel of cyber.sc, when asked if customers could have done anything to prevent this particular case, says there is nothing they could have done proactively. He says they need to start requesting that the banks require multi-factor authentication to customer data at all times.