TORONTO—Two of Canada's biggest banks warned yesterday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.
The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.
“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster,” spokesman Paul Gammal said in an e-mailed statement yesterday.
“A threat was made. Our practice is not to make payments to fraudsters,” he noted.
“We are focused on protecting and helping our customers.”
The bank said it believes the attack originated outside Canada but did not elaborate on the type of data they accessed.
Gammal said the bank is conducting a thorough investigation and is working with the relevant authorities.
The disclosure followed a warning from CIBC's direct banking brand, Simplii Financial, that also said “fraudsters” may have electronically accessed certain personal and account information for roughly 40,000 Simplii Financial clients.
Simplii said yesterday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.
Gammal said the potential breach at BMO appears to be related to the CIBC issue.
Royal Bank, Scotiabank, and Toronto-Dominion Bank said they have no indication they were affected.
Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.
“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an e-mailed statement.
Finance minister Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.
“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an e-mailed statement.
“The situation is being investigated by the institutions in collaboration with law enforcement.”
The Office of the Privacy Commissioner said yesterday that both financial institutions have notified it about the issue.
“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” spokeswoman Valerie Lawton said in an email.
“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”
Simplii said yesterday that clients who are victims of fraud because of the issue will receive 100 percent of the money lost from the affected bank account.
It added there is no indication that clients who bank through CIBC have been affected.