90,000 affected as CIBC and Bank of Montreal disclose data breaches

Two of Canada’s biggest banks have confirmed that they have suffered data breaches. The Bank of Montreal (BOM) said in a statement on Sunday, May 27 that up to 50,000 customers’ data had been stolen by criminal hackers. The same day, the Canadian Imperial Bank of Commerce (CIBC) said that the personal data of approximately 40,000 customers of its subsidiary, Simplii Financial, had been compromised.

$1 million CAD demanded by the hackers

Both banks said that they had been contacted by the crook(s), who appears to be behind both breaches. They claimed to be in possession of the personal data and demanded $1 million CAD (about $770,000) in cryptocurrency for it to be deleted.

Although blackmail is involved, this wasn’t a ransomware attack, as there are no reports that either bank was unable to access its systems. Rather, the attackers’ threat is based on the assumption that they have copies of the information, haven’t done anything malicious with it yet, but they will do if they don’t get their money.

There is a serious flaw in this plan. Blackmails involving personal data don’t work like kidnappings or stolen possessions, because the asset in question (the information) can be easily duplicated. The banks have no way of knowing whether the criminals will keep copies of the information, in which case paying the ransom is pointless. Regardless, there’s no way of knowing whether any version of the information was destroyed.

There’s another problem: once the information has been accessed by the criminals, it is automatically considered a data breach. A breach doesn’t only mean the misuse of data. It also refers to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. In other words, the banks have nothing to gain from paying off the crooks.

Fortunately, the BOM and the CIBC quickly realized this and made the breach public. Notification requirements are less strict in Canada than the US, so stories of breaches are rarer and therefore potentially more influential. However, it allows affected customers to check whether their information was being used suspiciously and if so, act accordingly. It also sends a clear message to criminals that blackmail won’t work.

‘Extremely rare’

The banks’ responsible reaction to the breach shows the maturity of their cybersecurity measures. Commenting on the incident, the Canadian Bankers Association said: “This past weekend’s cybersecurity incident is an extremely rare occurrence for Canadian banks, which are known for their leading cybersecurity practices.

“The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers.”

Protect your organization

No organization is immune from attack, so breaches can still happen to those that are well prepared. However, a strong cybersecurity culture can be the difference between a slight disruption and a public relations nightmare. You only need to look at the mess Uber got into when faced with a similar situation. The transport service company decided to pay up when ransomed and then covered up the fact that it had been breached. When this was made public, the organization faced a fierce backlash and a series of regulatory investigations.

You can make sure your organization follows cybersecurity best practices by implementing ISO 27001, the international standard for information security management.

The Standard is particularly useful if you are subject to the New York Department of Financial Services (NYDFS) Cybersecurity Requirements. The law, which took effect on March 1, 2018, introduces strict rules for financial institutions that have a branch in New York State, as well as third-party suppliers of New York-based institutions. Its requirements are aligned with ISO 27001, so adopting the framework will help you stay secure and achieve regulatory compliance.

You can learn more about the Standard by enrolling on our ISO27001 Foundation and Lead Implementer Combination Course. This four-day course guides you through everything you need to know about the Standard, starting with the basics and moving on to advanced topics. You’ll learn:

  • How to create an ISO 27001-compliant information security management system (ISMS)
  • The benefits of implementing ISO 27001
  • How to develop the skills required to implement the Standard’s framework
  • The nine steps to ISO 27001 success

The course will run in New York in August and October 2018. Alternatively, you can study on dates throughout the year, and from the comfort of your own home or office, with our Live Online option.

Find out more >>