Two major Canadian banks have warned Monday that hackers may have accessed the personal information of nearly 90,000 customers. The Bank of Montreal (BMO) said "fraudsters" contacted the institution on Sunday saying they were "in possession of certain personal and financial information for a limited number of customers."
"We believe they originated the attack from outside the country," BMO said in a statement. "We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation."
A BMO spokesman said less than 50,000 of the bank's 8 million customers across the country were affected, Reuters reports. The fraudsters reportedly threatened to make the information public, the spokesperson said, noting that the bank is conducting a thorough investigation and is working with local authorities.
BMO is currently contacting potentially impacted customers and has advised them to monitor their accounts for any suspicious activity.
Meanwhile, Canadian Imperial Bank of Commerce - the country's fifth biggest lender - said it was also contacted by fraudsters on Sunday claiming they had electronically stolen the personal and account data of 40,000 customers of its direct banking brand Simplii Financial.
CIBC said it has yet to confirm the breach, but is taking the claim seriously and investigating to verify its accuracy. The institution said it "moved quickly to implement enhanced online fraud monitoring and online banking measures" and is proactively reaching out to clients regarding the incident.
"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," Michael Martin, senior vice-president of Simplii Financial, said in a statement. "We feel that it is important to inform clients so that they can also take additional steps to safeguard their information."
The bank noted that customers at its main banking division were not affected. However, it noted that clients who become victims of fraud due to the incident will receive 100% of the money lost from the affected bank account.
Both banks have not disclosed what type of information was stolen in the incidents. However, one customer told CBC News that a fraudulent transfer of CA $980 was made from his Simplii Financial account on Saturday, likely indicating account data may have been compromised in the attack.
MalwareBytes Labs researcher Jerome Segura told CBC News that it unlikely for hackers to reach out to the affected company regarding the stolen data.
"It's probably just that they were trying to blackmail them," Segura said. "They had access to a certain amount of data, probably showed proof that they had this data, and most likely were trying to blackmail the banks [by] saying, 'We're going to release this or else we can work something out.'"
Other major Canadian banks said they were not affected by similar breaches and there is currently no indication their customers have been affected. The Office of the Privacy Commissioner said it has been notified by both financial institutions regarding the issue.