Two Canadian banks have reported that they may be targets of a hack, after bad actors claimed that they electronically accessed personal and account information of a combined 90,000 customers. The attackers have asked for a ransom of 1 Ripple XMR from each, which translates to around $1 million Canadian dollars, or about $771,000 USD at time of writing.
On Monday, both Bank of Montreal and Simplii Financial (the banking subsidiary of the Canadian Imperial Bank of Commerce) announced that “fraudsters” contacted them over the weekend claiming they had accessed certain personal and financial data from customers.
According to a report by CBC News, hackers behind the attack have demanded a ransom from the two banks in the form of the Ripple cryptocurrency. According to the CBC News report, hackers said they used an algorithm to pose as real account holders and use a “lost password” method allowing them to tweak and reset security questions. They were then able to access the accounts.
BMO said that a limited number of customers were impacted: “We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” the company said in a statement. “We have notified and are working with relevant authorities as we continue to assess the situation.”
The bank, which has 7 million customers overall, added that it believes the bad actors originated the attack from outside the country.
Simplii meanwhile said that approximately 40,000 customers may be impacted. The company added that there is currently no indication that clients who bank through CIBC have been affected.
“Immediately upon learning of the potential issue, Simplii began investigating to understand the claim and verify its accuracy,” Simplii said in a statement. “We also moved quickly to implement enhanced online fraud monitoring and online banking security measures. In addition, Simplii will be reaching out to clients proactively through all channels.”
Simplii told customers in a tweet it would “ensure that 100% all money lost [sic]… will be returned.”
We’re assessing all potential impacts. If a client is a victim of fraud bcuz of this issue, we will ensure that 100% all money lost in an affected account is returned. If ur account was affected by this issue, we will reimburse u for 1 year of credit monitoring. ^Julie
— Simplii Financial (@SimpliiFin) May 29, 2018
Neither bank responded to multiple emails from Threatpost inquiring about any links between the two breaches; nor whether any money was stolen from customers’ accounts.
James Lerud, head of the Verodin Behavioral Research Team, said the incident appears to be an extortion attempt by the hackers, where they threaten to publish stolen data unless they receive a ransom.
“It’s hard to say what the motivation for demanding the ransom is,” he said. “It could be that the data stolen isn’t as valuable as they are making out to be, or if the hackers are looking for a cherry on top of their haul and would just use the stolen information after a ransom was paid.”
Tim Erlin, vice president of product management and strategy at Tripwire, told Threatpost that attackers generally target banks because, put simply, that’s where the money is. “Ultimately, the biggest threat is the loss of money, but the mechanisms by which an attacker might execute such an attack can vary,” Erlin told Threatpost. “There’s no single, biggest threat for banks to address outside of complexity. The more complex the environment, the greater the attack surface.”
To protect themselves, consumers should always use a complex password and PIN, and regularly monitor their accounts for signs of unusual activity.
This story was updated June 1 at 9:45 a.m. with information on the ransom demand and the total number of customers affected.