Hackers threaten to reveal personal data of 90,000 Canadians caught in bank hack - Action News
Home WebMail Friday, November 22, 2024, 05:13 PM | Calgary | -11.1°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Business

Hackers threaten to reveal personal data of 90,000 Canadians caught in bank hack

Hackers have threatened to release personal information for nearly 100,000 customers of two Canadian banks unless the lenders pay a $1-million ransom in cryptocurrency.

BMO and Simplii say thieves stole information, demanded $1M ransom for safe return

Hack victim

6 years ago
Duration 4:05
Aaron Saltzman reports on victims of a Canadian bank hack.

Hackers have threatened to release personal information for nearly 100,000 customers of two Canadian banks unless the lenders paya $1-millionransom for its safe return.

On Monday, Bank of Montrealand online bank SimpliiFinancial owned by CIBC revealed that they learned over the weekend that theidentifying personal information of a combined 90,000 different account holders at the two banks wasstolen.

The thievessaid they accessed information such as names, account numbers, passwords, security questions and answers, and even social insurance numbers and account balances, by exploiting weaknesses in the two banks' security systems.

"We warned BMO and Simplii that we would share their customers informations if they don't cooperate," a Russian-based email purportedly from the thievessaid Monday evening.

How they did it

The email also provided a brief explanation of how they say theyhacked the accounts. The hackers claimthey were able to gain partial access to accounts by using a common mathematical algorithm designed to quickly validate relatively short numeric sequences such as credit card numbers and social insurance numbers.

The hackers say they used the algorithm to get account numbers, which allowed them to pose asauthentic account holderswho had simply forgotten their password. They say thatwas apparently enough to allow them toreset the backup security questions and answers, giving them access to the account.

"They were giving too much permission to half-authenticated account which enabled us to grab all these information," the email said, adding that the bank "was not checking if a password was valid until the security question were input correctly."

Bank hack: Whats at risk

6 years ago
Duration 1:26
Why financial breaches are so worrying.

The email demanded a ransom of $1 million in a cryptocurrency known as Ripple be paid for the return of the data by yesterday at midnight, otherwise the information would be released.

"These ... profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don't get the payment before May 28 2018 11:59PM," the email said.

That deadline has now passed. The cryptocurrency wallet where the hackers ordered the money to be paid was only opened last month, but already has the equivalent of almost $5 million US in it.

CBC News reached out to both banks for confirmation as to whether any ransom had been paid.

"Our practice is not to make payments to fraudsters," Bank of Montreal said. "We are focused on protecting and helping our customers."

For Simplii's part, the bank said "we are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests."

To back up the veracity of their claims, the thieves shared identifying information about two Canadians each a customer of each respective bank.

Hackers claim to have stolen the personal banking information of 90,000 customers at two major Canadian banks. (Mark J. Terrill/Associated Press)

'Very distressed'

CBC News contacted those two individuals, and both confirmed the veracity of the information the thieves sent out.

"I'm very distressed," one victim told CBC News when told their information had been stolen. "How could this happen? I barely slept last night, I'm so worried."

CBC News has obtained a list circulating online containing personal information of 100 BMOcustomers, which includes extensive personal information aboutthem, including names, addresses, phone numbers, account numbers, birth dates and Social Insurance Numbers. CBC News has reached out to a number of those individuals, many of whom confirmed the accuracy of the information.

OneSimplii customer who was not named in the hackers' email claiming responsibility says he was told by the bank on Monday evening that he, too, is a victim of the hack.

"It's concerning," Mike McCarthy of Edmonton said. "I'm not sure in this day and age what Ican do to get control of that data again."

"Some of those things you can't change about yourself so I'm sure it's going to exist out there for as long as someone wants to look for it."

McCarthy says he's heartened by the bank's response, offering free credit monitoring and some other services. But he still worries about what he calls "glaring gaps" in the banking system.

"Who knows? Maybe I go back to showing up at the teller," he said."I don't want to, but who knows what might happen next?"

With files from the CBC's Aaron Saltzman