Banks using hackers to test cybersecurity
Hackers are targeting Toronto-Dominion Bank’s internal systems at all hours using cuttingedge techniques.
But the bank’s head of cybersecurity isn’t losing sleep over them — they work for him.
The bank established late last year an in-house “red team” of ethical hackers — cybersecurity professionals who attempt to hack a computer network to test or evaluate its security, said Alex Lovinger, TD Bank’s vice-president of cyberthreat management.
The team conducts live attacks against its own networks continuously, Lovinger said.
“We’re doing it exactly how our adversaries would do it …
“So if we find a weakness or something like that, we can close it or address it before a real attacker.”
Canada’s biggest banks are fortifying their defences by hiring their own ethical hackers to test their systems as the frequency and sophistication of cyberthreats increases.
A Senate report last month entitled “Cyber Assault: It Should Keep You Up at Night” sounded the alarm about the potential consequences of major cyberattacks in Canada.
“While some progress has been made federally in the past year, there is much more that the federal government and Canadians must do to protect ourselves,” said the report of the standing Senate committee on banking, trade and commerce.
“We must take the appropriate steps now, or soon we will all be victims.”
In 2017, 21 per cent of Canadian businesses reported that they were impacted by a cybersecurity incident that affected their operations, according to Statistics Canada.
Banking institutions, not including investment banks, reported the highest level of incidents at 47 per cent, followed by universities and the pipeline transportation subsector, according to the agency.
New regulations that require businesses to alert their customers about privacy breaches — or else face hefty fines — took effect at the beginning of this month.
In May, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial digital banking brand said thousands of their customers may have had their personal and financial data compromised.
BMO said hackers contacted the bank claiming to be in possession of the personal data of fewer than 50,000 customers, and that the attack originated outside of Canada.
Simplii also warned that “fraudsters” may have accessed personal and account information for about 40,000 clients.
BMO’s chief executive Darryl White said he could not comment on the details of the privacy breach, but noted there was a “very immaterial impact from a fraud perspective” and no material financial fallout.
“We are a lot smarter as every event goes on. And there are events every day, there are events every hour of every day,” White told reporters.
“It’s a continual improvement exercise.”
Meanwhile, BMO is also turning to in-house ethical hackers to test their systems.
According to a recent job posting, BMO is seeking a senior manager with a certification in ethical hacking and whose responsibilities include managing a team of “network penetration testing” specialists.