Two of Canada's largest banks warn that "fraudsters" may have had access to the personal and financial information of up to 90,000 customers.
The Bank of Montreal said Monday that fraudsters had contacted the institution Sunday claiming to hold the personal information of less than 50,000 customers, without specifying what kind of data it was. The bank believes the cyber attack was committed outside of Canada.
"We are conducting a thorough investigation," said spokesman Paul Gammal in a statement sent Monday by email.
"We have seen unverified statements that personal and financial data of customers could have been accessed by a fraudster and a threat has been made to make it public," he said. The bank did not say whether the abuser had asked for money.
Earlier Monday, Simplii Financial, CIBC Direct Banking, warned that "fraudsters" may have had electronic access to certain personal and account information from approximately 40,000 Virtual Bank customers.
Simplii Financial took note of the potential problem on Sunday and put in place additional security measures, such as increased online fraud control, she said on Monday, adding that she was working with the relevant authorities.
Mr. Gammal said the two incidents seemed to be related. The Royal Bank, Scotiabank and TD Bank said there was no reason to believe they had been affected by the problem.
Situation closely watched
Bank of Montreal and CIBC both stated that they would contact customers and advised them to monitor their accounts and contact their financial institution to report suspicious activity.
"We are investigating to determine the validity of the claims and the type of information that [the fraudsters] would have had access to," CIBC spokesperson Tom Wallis said in a statement sent by email.
Finance Minister Bill Morneau has spoken with the leaders of the institutions concerned, according to ministry spokeswoman Jocelyn Sweet.
"We are keeping a close eye on the situation with the Office of the Superintendent of Financial Institutions," she said in a statement sent by email. "The situation is studied by the institutions, in collaboration with the police. "
The Office of the Privacy Commissioner said on Monday that both banks had advised him of the case.
"We are working with organizations to better understand what has happened and what they are doing to alleviate the situation," spokeswoman Valerie Lawton said in an email.
"At this point, we are in contact with the companies, but we have not opened a formal investigation. "
Simplii said that customers who are victims of fraud because of the problem would receive 100% of the money lost from the affected bank account. The virtual bank added that "there is currently no indication that CIBC's banking customers would have been affected."
CIBC launched Simplii in November, absorbing the accounts of some two million PC Financial account holders. CIBC had been providing core banking services to PC Financial for almost 20 years, but in August it entered into an agreement with PC's parent company, Loblaw, to separate.
A list that is growing
Potential data theft reported Monday by Simplii and the Bank of Montreal are the latest cybersecurity incidents involving Canadians.
Last fall, the Equifax credit monitoring service informed the public that hackers had access to the personal data of 145.5 million US customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their personal information, such as their name and email addresses, was illegally accessed during a data breach.
In November, the carpool company Uber said that hackers stole names, email addresses and mobile numbers from millions of users. Uber said in December that 815,000 Canadians may have been affected by the global data breach.
The new federal data breach rules, which would include mandatory incident reporting, are to come into effect on November 1 st .
The regulations require organizations to determine whether a data breach poses a risk to anyone whose information is at issue, and then to notify the federal privacy commissioner and those affected "as early as possible". Previously, companies that were hacked could alert the public when they thought it was appropriate.