Hackers have threatened to release personal information about 90,000 customers of two Canadian banks — Bank of Montreal and Simplii Financial — unless they receive a ransom of $1 million in cryptocurrency Ripple (XRP). And we have full details.
According to the Bank of Montral (BMO), on Sunday, 27 May 2018, a group of hackers contacted BMO claiming that there were in possession of personal and financial information belonging to some of the bank’s customers. This is the text from the press release issued by BMO:
“On Sunday, May 27, fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers. We believe they originated the attack from outside the country. We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation. We are proactively contacting those customers that may have been impacted and we will support and stand by them. BMO has strong and robust processes in place to protect customer data and we take customer privacy very seriously. Customers are recommended to monitor their accounts and notify BMO with any suspicious activity.”
After publicizing the above statement on Twitter, BMO issued two additional tweets to inform its customers about what was happening:
Customer Update: BMO has proactively shut down access to customer accounts identified as potentially impacted by the breach. Credit and Debit Mastercard customers can still conduct chip and pin transactions, but customers with BMO Blue Debit-only cards will be unable to transact.
— BMO (@BMO) May 28, 2018
BMO will be calling each potentially-impacted customer in the next 24 hours to offer complimentary monitoring, replace cards, ensure all passwords get reset, and determine if there was any financial impact.
— BMO (@BMO) May 28, 2018
As for Simplii Financial, which is the direct banking subsidiary of the Canadian Imperial Bank of Commerce (CIBC), it sent out a tweet on 28 May 2018 that referred its customers to the following statement on Facebook:
“Dear Simplii Financial client:
We have implemented enhanced online security measures in response to a claim received on Sunday, May 27 that fraudsters may have electronically accessed certain personal and account information for some of our clients.
In addition to the steps that Simplii has taken, we recommend that clients:
• Always use a complex password and pin (eg. not 12345)
• Monitor their accounts for signs of unusual activity
Clients who notice suspicious activity are encouraged to contact Simplii Financial. If a client is a victim of fraud because of this issue, we will return 100% of the money lost from the affected bank account.
We take this matter seriously and will be reaching out individually to clients who may be impacted. Updated information will be posted here as it becomes available.
Michael Martin, SVP Simplii Financial”
The latest information that we have comes from Canadian national public broadcaster (for radio and television) CBC. According to their report on 29 May 2018, a total of around 90,000 from these two banks have been affected by this attack. The hackers have said they have access to information about customers such as names, passwords, account numbers, security questions/answers, debit card numbers, national ID (social insurance) numbers, account balance, occupation, marital status, home address, and even their Air Miles number. And what is even more frightening is that CBC News found the information about 100 BMO customers already leaked online by the hackers.
According to the CBC report, on Monday evening, a Russian-based email supposedly from the hackers said the following:
“We warned BMO and Simplii that we would share their customers informations if they don’t cooperate.”
What it is very unusual about this hacking attack is that the same email from the hackers explained how they did it:
“The hackers claim they were able to gain partial access to accounts by using a common mathematical algorithm designed to quickly validate relatively short numeric sequences such as credit card numbers and social insurance numbers.
The hackers say they used the algorithm to get account numbers, which allowed them to pose as authentic account holders who had simply forgotten their password. They say that was apparently enough to allow them to reset the backup security questions and answers, giving them access to the account.”
According to this email, the hackers demanded a $1 million ransom to be paid to them in cryptocurrency Ripple (XRP), and the deadline was “May 28 2018 11:59PM.” The deadline has now passed, but as is usual in these types of cases, the two banks involved are not saying whether or not the ransom was paid. When CBC reached out to BMO for a comment, it was told: “Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers.”
As far as cryptocurrency enthusiasts are concerned, perhaps the most interesting thing about this hacking attack is that the hackers asked for the ransom to be paid in Ripple (XRP) and not one of the cryptocurrencies used by criminals in the past, such Bitcoin (BTC) or some privacy-focused cryptocurrency such as Monero (XRM). On the Ripple Subreddit, user “mr_lazy85” made the following joke in response to a question that asked why the hackers asked for XRP instead of BTC: “I guess the hackers didn’t want to wait hours to receive the ransom.”