Canada’s banking industry received a jolt Monday after Bank of Montreal and Canadian Imperial Bank of Commerce’s Simplii Financial reported they were investigating the possibility that “fraudsters” may have accessed some of their customers’ information.
Both BMO and Simplii said they had been contacted on Sunday by unnamed individuals claiming that information may have been accessed, with BMO saying fraudsters alleged they possessed “certain personal and financial information for a limited number of customers.”
A spokesperson for BMO said they believe the number of accounts affected is fewer than 50,000.
“Yesterday, we became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public,” said Paul Gammal in an email. “We are working with the relevant authorities and are conducting a thorough investigation.”
BMO, Canada’s fourth largest bank, said it believes the purported attackers initiated the assault from outside the country. The bank added that it was proactively contacting customers who may have been affected.
“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” the bank said in a statement.
BMO’s spokesperson said the issue appears to be related to a similar one at Simplii, CIBC’s direct banking brand. Simplii announced Monday that it had implemented additional online security measures in response to a claim that personal and account data of around 40,000 clients may have been accessed electronically.
While Simplii said there is currently no sign of clients banking through CIBC being affected, a spokesperson noted that it was trying to determine the validity of the claim and the type of information that could have been accessed. It also vowed to reach out to customers and to return 100 per cent of any money lost from a client’s account because of the situation.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, senior vice-president at Simplii Financial, in a release. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”
No similar issues were reported Monday by Bank of Nova Scotia, Royal Bank of Canada or Toronto-Dominion Bank.
The situation, however, comes at a sensitive time for the banks, especially as amendments to federal legislation governing financial institutions is being weighed in Ottawa.
Bill C-74, according to its summary, could expand the type of activities that banks engage in with fintech companies, “as well as modernize certain provisions applicable to information processing and information technology activities.”
Last week, Canada’s privacy commissioner expressed concerns about the legislation to the Senate banking committee, warning it may not strike the right balance between promoting innovation and protecting privacy.
Moreover, the situation at BMO and Simplii comes as lenders say they are investing heavily in technology and seeing increased mobile and online banking. And the high-profile data breach that struck credit reporting agency Equifax Inc. has already shown the impact of such problems.
“When you’re dealing with financial information, you should have the highest level of privacy protection possible,” said Dr. Ann Cavoukian, the former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre. “This is a real eye-opener.”
While not ruling out the possibility of a similar situation having happened, Cavoukian said she could not recall one in Canada with a Canadian bank. The former privacy commissioner was also critical of the language used in reporting the potential incidents.
“The question that that begs is why weren’t you engaging in those measures all along?” Cavoukian said.
The banks said they were working with various authorities on the claims.
A spokesperson for the Office of the Privacy Commissioner of Canada said they had been notified of the situation, “and we are working with the organizations to better understand what occurred and what they are doing to mitigate the situation.” Due to confidentiality provisions, the commissioner’s office said it could not provide further details at this time.
Banks, along with other industries, do report data breaches to the privacy office, the spokesperson said. The 2016-17 annual report to Parliament on the the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act showed that the financial sector made up 79 of the 325 PIPEDA complaints accepted by the office that year.
The commissioner’s office also noted that there have been “numerous high-profile data breaches in Canada” over the past few years.
A spokesperson for Canada’s banking regulator, the Office of the Superintendent of Financial Institutions, said they were aware of the incident, but that they are required by law to keep supervisory information about specific banks confidential.
Email: firstname.lastname@example.org | Twitter: GeoffZochodne