BMO, CIBC’s Simplii warn fraudsters may have accessed data
Clients’ personal and financial information could be compromised
Two of Canada’s biggest banks warned Monday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.
The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers, however it did not elaborate on the type of data they accessed. The bank believes the attack originated from outside of Canada.
“We are conducting a thorough investigation,” spokesman Paul Gammal said in an emailed statement on Monday.
“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public.
“We are working with the relevant authorities,” he said. BMO did not say whether the attacker asked for money.
The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.
Simplii said Monday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.
Gammal said the potential breach at BMO appears to be related to the CIBC issue. Royal Bank, Scotiabank and TorontoDominion Bank said they have no indication they have been affected.
Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.
“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.
Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, according to ministry spokeswoman Jocelyn Sweet.
“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement.
“The situation is being investigated by the institutions in collaboration with law enforcement.”
The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.
“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.
“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”
Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.
CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders.
CIBC had provided the backend banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.
The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.
Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.
In November, ride-sharing company Uber said hackers stole names, email addresses and mobile phone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.
New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.
The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible”.
Previously, companies which had been hacked had been alerting the public on their own timeline.
A review of 200 deaths in British Columbia among young people who were moving out of government care over a six-year period recommends expanding support services to help save lives.
The coroner’s death review panel identifies four areas of focus to reduce deaths after examining issues facing young people who leave government care and attempt to live independently. The report released Monday concludes that young people leaving government care in B.C. died at five times the rate of the general
■ youth population.
Panel chairman Michael Egilson said the review of deaths between 2011 and 2016 found high rates of suicide and drug overdoses, and a disproportionate number of deaths among Indigenous youth.
The report says 1,546 youth between the ages of 17 and 25 died from causes classified as accidental, suicide, natural, homicide or undetermined during the period of the review from Jan. 1, 2011, to Dec. 31, 2016. Of those deaths, 200 or 13 per cent were among people who had been in some form of government care.
Many young people leaving government care show resilience and strength, but they face more challenges than many of their peers, the review says.
“They may lack a family support network, have limited or no financial resources, often lack life skills, and often have not completed school,” the review states. “They may suffer from low selfesteem and be scarred by trauma associated to violence, childhood neglect and or abuse.”
The report says about 4,316 children and youth are discharged from care in B.C. each year, and of those, 780 end government care at age 19.
Youth in B.C. are considered adults at 19 and most leave government care.
“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public. We are working with the relevant authorities.” Paul Gammal