Two major Canadian banks blackmailed after alleged data breach

Two major Canadian banks blackmailed after alleged data breach

While the US was celebrating Memorial Day on Monday, Canada was dealing with an unusual data breach affecting two popular financial institutions: Simplii Financial and Bank of Montreal (BMO).

The CBC broke the story and updated it throughout the day to mention that some 90,000 customers were possibly affected by this attack which the banks say they became aware of on Sunday, just one day prior.

While at first the details were scarce, the CBC later confirmed that the perpetrators had threatened to release their data trove publicly unless the banks agreed to pay them a 1 million dollar ransom on May 28th, just before midnight.

BMO has said that they did not pay the ransom and instead is focusing on helping and protecting its customers. Both banks are offering support and in particular credit monitoring services to the victims of this incident.

This hack is noteworthy for targeting two major Canadian financial institutions at the same time and exposing extremely sensitive personal information which, unlike a password, cannot be changed. Although the data has now lost some of its immediate value, the attackers may decide to dump all the information publicly or sell it to the highest bidder.

Breaches leave users scared and frustrated because people know their data may end up being stolen in a way that is out of their own control. Having said that, certain measures can contain the damage and can be readily applied. For one, using strong and unique passwords is absolutely critical so that hackers cannot easily compromise your other accounts.

Many online services have security questions as part of the authentication process that are problematic in themselves. Rather than answering ‘blue’ to the question about your favourite colour, be a little more creative and come up with a full sentence, or even something that has nothing to do with colours at all. Finally, whenever possible, you should enable two-factor authentication as it provides an additional layer of security to the otherwise weak password-only approach.


Jérôme Segura

Principal Threat Researcher