Loading articles...

CIBC's Simplii and BMO investigating hacks that may have leaked customer data

Last Updated May 28, 2018 at 7:01 pm EDT

Two of Canada’s largest financial institutions warn that data breaches may have leaked the banking information of thousands of customers.

Simplii Financial said Monday a hack may have compromised the personal and account information of about 40,000 customers.

The company issued a statement advising clients that it has “implemented additional online security measures” after it received a claim on Sunday that fraudsters may have electronically accessed certain personal and account information.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” Michael Martin, senior vice-president of Simplii Financial, said in a statement.

“We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

One listener named Jennifer told 680 NEWS $2,889 was taken out of her CIBC Simplii account last week and the money is still missing. She also said her personal information was changed. She said she also reported this incident to the RCMP.

“It’s pretty scary … this [person] knows my home address, does he know my birth date? Does he know other things that I have provided to Simplii?,” Jennifer said. “I feel very violated.”

The company said there’s “currently no indication that clients who bank through CIBC have been affected.”

Simplii Financial is also reminding customers to use a complex password and pin.

Just like Simplii, The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation,” BMO said in a statement.

The bank said it believes the attack came from outside the country.

Both banks are asking their clients to monitor their accounts for any signs of unusual or suspicious activity, and to report such activity to them.

Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.

“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”

The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.

“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.

“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”

Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.

In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.

New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.

With files from News Staff