What to do in the case of the BMO, CIBC’s Simplii data breaches

terry cutler bmo cibc hack

Bank of Montreal and Simplii Financial are grappling with the fallout from apparent data breaches that may have exposed sensitive personal and financial information belonging to tens of thousands of customers.

A day after both banks revealed that as many as 90,000 total customers may be affected, both banks were still working to contact customers whose data may have been stolen, freeze accounts at risk of further fraud and reimburse fraudulent transactions.

Alleged “fraudsters” contacted BMO and Simplii on Sunday, claiming to have accessed the data, and “a threat was made,” according to a BMO spokesperson. The banks revealed the breaches on Monday morning and have begun reaching out to affected clients. But many customers are still confused about how to access their banking, waiting for lost funds to be returned, and left wondering whether their personal data leave them vulnerable to further fraud.

“We are proactively contacting customers and taking all available means to protect their accounts, including blocking online and mobile access to accounts that may have been impacted, personally calling each impacted customer, as well as offering them free credit monitoring,” BMO spokesman Paul Gammal said in an e-mail.

BMO, which is Canada’s fourth-largest bank, said customers whose online accounts have been blocked by the bank can visit a branch or use telephone banking in the meantime, and that most debit cards are still working. But for an online bank such as Simplii, the solution isn’t so simple.

On Saturday night, Will Lochner, a Simplii customer and student from Ayr, Ont., received a notification that someone he didn’t recognize had accepted a $485 e-transfer that he didn’t send. He contacted Simplii, changed his password and was issued a new bank card. His complaint is being investigated, but he has yet to receive the new card. Fortunately, he works a farm job that pays in cash, and “I’m kind of just going off the cash right now,” he said. “It’s been a bit confusing, to be honest.”

Both BMO and Simplii have promised to reimburse customers for funds lost through unauthorized transactions arising from the data breaches. “Customers will not lose money from this,” Mr. Gammal said.

Yet some clients have waited days and still don’t know when they will be reimbursed for transactions that, in some cases, total thousands of dollars.

Matthew Smith has banked with Simplii, which is owned by Canadian Imperial Bank of Commerce and was formerly part of President’s Choice Financial, for more than a decade. But last Thursday, he was unable to log in to his accounts and the safety questions to recover his password had been changed. When he reached Simplii, he was told his account was flagged for suspicious activity: Two e-mail money transfers, each for $1,500, had been sent to recipients he’d never heard of.

Mr. Smith was told on Thursday that he would be reimbursed in one to two business days, but the funds haven’t arrived. “I’m quite unhappy about the whole situation,” he said. “We’re trusting these banks with so much of our information and I don’t feel the way they’ve handled this whole thing has been very good.”

Mr. Smith’s experience is typical of an apparent pattern in the instances of fraud reported by customers who believe their data have been exposed: The user is unable to log in, the account’s security questions have been changed and unauthorized e-transfers have been sent without their knowledge.

The alleged hackers’ apparent ability to take control of numerous accounts and move money electronically speaks to the sensitivity of the data that have allegedly been stolen.

“There are categories of information which are more valuable,” said Imran Ahmad, a lawyer who leads the cybersecurity practice at Miller Thomson LLP. “ If you steal somebody’s credit card information, that’s typically a very short shelf life and relatively easy to fix. If you steal somebody’s full identity by getting access to their [social insurance number], their banking details and can build a virtual profile, that identity theft can take a very long time … to correct or to fix.”

On Monday, a Facebook post from an account claiming to represent the alleged hackers included a link to a website that seemed to contain several hundred people’s private banking information. The entries included names, account numbers, dates of birth and social insurance numbers, among other data.

Checkout my other social media channels at:

My Blog: http://www.TerryCutler.com
Internet Safety Course: http://www.InternetSafetyUniversity.com
Linkedin: http://www.linkedin.com/in/terrycutler
Twitter: http://www.twitter.com/terrypcutler
Wikipedia: https://en.wikipedia.org/wiki/Terry_Cutler
Facebook https://www.facebook.com/terrycutlerfan
Instagram https://www.instagram.com/terrycutler/
YouTube https://www.youtube.com/terrycutler1

Terry Cutler

I’m Terry Cutler, the creator of Internet Safety University, an educational system helping to defend corporations and individuals against growing cyber threats. I’m a federal government-cleared cybersecurity expert (a Certified Ethical Hacker), and the founder of Cyology Labs, a first-line security defence firm headquartered in Montréal, Canada. In 2020, I wrote a bestselling book about the secrets of internet safety from the viewpoint of an ethical hacker. I’m a frequent contributor to National & Global media coverage about cyber-crime, spying, security failures, internet scams, and social network dangers families and individuals face daily.