BMO and CIBC-Owned Simplii Financial Suffer Data Breaches

Two large Canadian financial institutions have reported data breaches over the weekend.

Simplii Financial—a banking subsidiary run by CIBC that was created to replace President’s Choice Financial—as well as BMO both suffered attempted hacks. According to Simplii, up to 40,000 customers may have been affected, while BMO did not share the total amount of customers that may have been affected. When Simplii transitioned from PC Financial, they had around two million customers, which would mean roughly two per cent of Simplii’s customer base is affected by this hack.

The banks were apparently alerted to the hacks by two separate warnings. Simplii was the first to hear about the hack and reported the news on Monday morning after tipsters alerted the bank to the data breach.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, an SVP at Simplii.

BMO followed suit and alerted their customers on Monday morning that they were attacked as well, though they did not disclose how many customers were affected. BMO says they were contacted directly by the hackers, who are believed to be outside of Canada.

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” BMO reps said in a statement. “BMO has strong and robust processes in place to protect customer data and we take customer privacy very seriously. Customers are recommended to monitor their accounts and notify BMO with any suspicious activity.”

The wording in BMO’s statement appears to confirm that they did lose data, though the bank declined to name how many and what kind of data was affected.

BMO’s lack of clarity in terms of customers affected is something that may be illegal as soon as this year. The federal government is pushing new regulations into effect on November 1 that will force companies to be as transparent as possible when it comes to sharing information about compromised data. This means BMO and Simplii would have to share a description of the breach’s circumstances; when the breach occurred; personal information that may have been leaked; how the company will reduce the risk of harm to the breach victim; steps the victim can take themselves to reduce harm; a way to obtain more information about the breach; and information about an internal complaint process.

Data breaches are increasingly becoming a norm for all kinds of companies. A shocking report found that nine of 10 companies in Canada suffered data breaches last year, highlighted by huge attacks on companies like Nissan, Uber and Equifax.

BMO and Simplii have begun to contact customers who may have been affected, and Simplii has stated that other CIBC customers were not affected by the hack.