Learning from Canadian Bank Cyber Incidents

Two major Canadian banks, Simplii Financial and Bank of Montreal (BMO), experienced cybersecurity incidents over the weekend. Simplii Financial advised clients that it has implemented additional online security measures in response to a claim that fraudsters may have electronically accessed certain personal and account information for approximately 40,000 of Simplii’s clients as of Sunday, May 27, 2018. Simplii Financial is the direct banking brand of CIBC.

Simplii further shared that it began investigating immediately upon learning of the potential issue to understand the claim and verify its accuracy. They also activated enhanced online fraud monitoring and online banking security measures.  Michael Martin, Simplii Financial’s Senior Vice-President, said, “We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures. We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

Malicious actors also contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers.  BMO believes the attack originated outside of Canada. In response, BMO announced that it had taken immediate steps to close off the exposures “related to customer data” had been closed off. They also notified and are working with relevant authorities as they continue to assess the situation.

The quick responses of the banks show how seriously these institutions take such incidents. It also demonstrates the power of regulation to guide banks in handling security breaches. However, cybersecurity professionals following the events remain concerned about these two episodes. For example, Tim Erlin, VP of product management and strategy at Tripwire, remarked, “Very simply, this isn’t the whole story. The initial disclosure of an incident like these rarely includes all the details because it takes time to investigate. Regardless, any unauthorized access to sensitive customer data should be taken seriously and fully investigated. Identifying a root cause and any attribution can be tricky, but it’s worth the effort in order to implement the right preventative controls.”

Erlin then added, “Banks have long been primary targets of cyber criminals because that’s where the money is. While defenses have improved with investment, criminals have updated their tactics as well. It’s unlikely that this cyber-arms race will end any time soon.”