Hackers demand $1m ransom after stealing data from 2 Canadian banks

Hackers have stolen financial data of thousands of customers – Reportedly 50,000 from BMO and 40,000 customers from CIBC have been affected.

Hackers have targeted two mainstream Canadian banks, as a result, financial information of roughly 90,000 customers has been stolen. One of the two banks happens to be the Bank of Montreal (BMO), Canada’s fourth-largest lender and direct banking brand of Canadian Imperial Bank of Commerce with around 8 million customers.

The said bank released an official statement in which it was stated that hackers contacted the bank on Monday claiming to have personal and financial information of its 50,000 customers. The bank’s representative Paul Gammal revealed that:

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off.”

See: HBO hackers leak Game of Thrones Stars data; demand ransom

Bank of Montreal also revealed that the incident was followed by the threat of making the stolen data public if the attackers don’t receive payment. It was clearly stated by the bank that it won’t be facilitating any such demands:

“Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers. We have notified and are working with relevant authorities as we continue to assess the situation.”

It is believed that the attack originated from a foreign location and has stark similarities with another hack attack on Simplii Financial, an online bank.

On Sunday, the CIBC-owned Simplii Financial informed about being tipped by hackers regarding the bank being targeted and personal and accounts related information of 40,000 customers stolen.

Simplii Financial’s senior vice president Michael Martin states that the bank is currently collecting information and has already implemented measures to further optimize the bank’s security measures. Martin noted that the bank will be returning 100% of the lost amount to the victims.

“If a client is a victim of fraud because of this issue, we will return 100 percent of the money lost from the affected bank account,” said Martin.

It must be noted that the attackers demanded $1 million in ransom from the two attacked banks and in the case of Bank of Montreal according to Reuters, the hackers were also the tipsters. In the email sent to the banks, the hackers threatened to sell the information to criminals if banks didn’t pay the ransom by 11:59 pm.

See: Hackers leave ransom note after wiping out MongoDB in 13 seconds

The email contained a sample of the stolen data, which included names, SIN, dates of birth and account balances of an Ontario based male and female. The email further read:

“Criminals will use Simplii and BMO client information to apply for products credit using social insurance number, date of birth and all other personnal info.”

When contacted the female confirmed that the information in the email including the three security questions was authentic. Conversely, on Saturday Edmonton based Michael McCarthy informed CBC News about a fraudulent transfer of $980 form his Simplii Financial account.

“My biggest concern is around my personal information in someone else’s hands,” stated McCarthy.

In the wake of such targeted hack attacks, Bank of Canada has warned the entire financial sector in the country to remain alert as it is vulnerable to cyber attacks.

According to Malwarebytes’ cyber-security researcher Jérôme Segura, this is quite an unusual practice to tip off the attacked institutions because as soon as the company gets notified the information becomes worthless. Segura believes that this is probably hackers’ way to blackmail the attacked banks.

“They had access to a certain amount of data, probably showed proof that they had this data, and most likely were trying to blackmail the banks [by] saying, ‘We’re going to release this or else we can work something out,” Segura added.

James Lerud, Head of the Verodin‘s Behavioral states that “It is disturbing that both banks found out about the stolen data from the hackers; this means that their detection and prevention measures utterly failed. Why alert the victim if they got away with it? This is plainly an extortion attempt, where the hackers threaten to publish stolen data unless they receive a ransom.”

“It’s hard to say what the motivation for demanding the ransom is. It could be that the data stolen isn’t as valuable as they are making out to be, or if the hackers are looking for a cherry on top of their haul and would just use the stolen information after a ransom was paid. Hats off to both banks for alerting the public, this was the right thing to do and takes a lot of power away from the hackers, but we shouldn’t completely let them off the hook,” added Lerud.

“Banks, and other organizations we trust with sensitive information need to let the public know exactly how they are validating and improving defenses over time. Without a program to scientifically validate and improve controls, customers should find it hard to trust these entities with their valuable information.”

Image credit: Depositphotos

See: Hackers take over power billing records of Indian state; demand ransom

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'