Canadians’ Personal Information Held Hostage

On Monday, May 28, two Canadian banks revealed they had suffered cyber-attacks over the weekend. The two institutions, Simplii Financial and Bank of Montreal, both released statements confirming that they had been hacked. Later it was revealed that the hackers responsible are attempting to hold the data stolen from the banks for ransom. The hackers claim that they will release the personal information of 100,000 clients of the banks unless they receive 1 million USD worth of cryptocurrency.

Simplii Financial, which is a subsidiary of CIBC, one of Canada’s biggest financial institutions, released a statement on Monday confirming the incident which was discovered on the previous Sunday, In the statement it was confirmed that the hackers had managed to access and steal certain personal and account information for approximately 40,000 of Simplii's clients. Upon the discovery, Simplii moved to implement enhanced online fraud monitoring and online banking security measures. It also stated that it would be directly contacting all those affected. Michael Martin, the Senior Vice-President, wished to assure clients that, “We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” and, “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

In addition to the institution improving its own security measures, it also advised clients to use complex passwords and PIN codes; it further advised clients to monitor and report any suspicious activity on their accounts. The bank further stated that if a client is a victim of fraud because of this issue, the bank will return 100% of the money lost from the affected bank account.

Bank of Montreal

Almost an hour after Simplii releasing their statement to the public, the Bank of Montreal released theirs. Their statement eerily similar in content to Simplii’s stated that the bank had been contacted by the hackers who informed the bank that they were in possession of certain personal and financial information for a limited number of customers. However, unlike the Simplii statement, there was no mention of how many customers had their information compromised. The only further information given by the bank was that they are of the belief that the hack occurred from outside of Canada. Given the paragraph statement issued by the bank, clients could be forgiven for thinking that the above statement was merely a template which could be and has been used in the past. Both statements are light on actual details pertaining to the hack and what will be done to prevent further breaches.

Data held for Ransom

About a day after the banks issuing their statements both Canadian and international news sources began reporting that the information stolen from both banks was been essentially ransomed. CBC reported that approximately 100,000 clients of both banks had their personal information compromised. While Bank of Montreal was unwilling to divulge numbers initially this would imply that the personal information of 50,000 clients, as a conservative estimate, was stolen. The CBC report claimed that the hackers were insisting that the banks pay 1 million USD in the popular cryptocurrency Ripple. The cryptocurrency according to CCN, a popular cryptocurrency news site, is the fourth largest of its kind according to its market capitalization.

simplii and bmo data breach

The CBC report also contained far more information than either of the bank’s public statements. According to the report, both banks received an email from the hackers which are believed to have come from a Russian based domain. According to the email, both bans were warned that the information would be leaked if the banks would not comply with their demands. The email also contained information on how the hackers managed to steal the information. The information was stolen by gaining partial access to accounts by using a common mathematical algorithm designed to quickly validate relatively short numeric sequences such as credit card numbers and social insurance numbers. The hackers were then able to use the algorithm to pose as authentic account holders who had simply forgotten their password. They say that was apparently enough to allow them to reset the backup security questions and answers, giving them access to the account.

Both banks claim to have robust security measures but if the email is to be believed clients of the banks will undoubtedly question this. The hackers went on to state that, “They were giving too much permission to the half-authenticated account which enabled us to grab all these information,” and further that the bank, “was not checking if a password was valid until the security question was input correctly.” Surely then the security measure in place is not as robust as once thought.

Deadline already passed

The email also gave the banks a deadline to comply with their demands, stating, “These ... profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don't get the payment before May 28, 2018, 11:59 PM,” What is more interesting, however, is that the hackers’ cryptocurrency wallet has only been open for a month and has received over 5 million USD already. Both banks deny having paid the ransom demands of the hackers but questions will be undoubtedly raised as to how the hackers’ wallet swelled so quickly. Could more bank be affected by the groups’ activities?

In many similar instances, the authenticity of the attacker’s information is questioned. In this instance the hackers’ sought to put any such questions to bed by releasing identifying information of two Canadian customers, one from each bank. CBC was able to confirm the validity of the personal information of the two Canadians affected. More worryingly a list of approximately 100 Bank of Montreal customers has surfaced online with CBC managing to validate with those customers the authenticity of the information leaked.