BMO account holders’ social insurance numbers revealed in data dump
Katherine DeClerq, CTV News Toronto
Published Wednesday, May 30, 2018 6:14PM EDT
Last Updated Wednesday, May 30, 2018 10:45PM EDT
Social insurance numbers, birth dates, and account numbers were among the pieces of personal information hackers may have obtained when targeting two of Canada’s biggest banks.
Those details were incuded in a dataset posted to an online forum called Postbin on May 28. The information was accessible for about five hours, between 2 p.m. and 7 p.m. before it was removed.
The data obtained by CTV News Toronto included customer names, account numbers, social insurance numbers, dates of birth, email and home mailing addresses, phone numbers, occupations, and citizenship information.
One hundred people were listed on the data sheet. The individuals contacted by CTV News Toronto all confirmed they were clients of Bank of Montreal (BMO).
Some of the people who spoke with CTV said they received emails urging them to take precautions to protect their bank information, but seemed shocked to hear the extent of the information that was accessed.
Melissa Mallette, a BMO customer of over 15 years, said she was first told by the bank that her debit card had been compromised, which she got replaced. Mallette says she then received a call from the fraud department saying her postal code, phone number, name and birthday may have been accessed in the hack.
When CTV News revealed to Mallette that her social insurance information was posted online, she choked back tears. “I fell completely broken … it’s all revealed … I’m all shook up about it,” Mallette explained. “It’s very frightening.”
Romano Disabatino, another BMO customer, said he called the bank earlier and they assured him his account information was safe.
“That’s a huge lie,” Romano said over the phone. “Since then, all my accounts are connected with my children’s, so we have all changed our passwords. That’s the only thing I could think of right now.”
Two other women told CTV News Toronto they spoke with BMO representatives and were told not to be concerned.
According to Ann Cavoukian, former information and privacy commissioner of Ontario, this data is exactly what a hacker needs to assume someone else’s identity.
“I was somewhat surprised because surely you would expect the banks to secure our most sensitive information,” she said. “I expected them to have the highest level of protection possible and clearly they didn’t.”
Cavoukian said that identity theft is “a nightmare” and can take years to sort out.
Paul Gammal, a spokesperson for BMO, sent CTV News Toronto a statement in response to inquiries about the data breach.
“We are focused on supporting our customers and protecting their accounts. This includes proactively reaching out to potentially-impacted customers, providing complementary credit monitoring and assuring them that they will be fully reimbursed for any financial impact from unauthorized transactions.”
On Monday, both BMO and CIBC’s direct banking brand Simplii Financial said that “fraudsters” may have accessed the combined personal information of up to 90,000 customers.
On the day of the hack, Gammal told the Canadian Press that BMO had been contacted by hackers claiming to have the personal information of tens of thousands of their customers. The hackers threatened to make the information public unless compensated.
"A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers," Gammal said.
Both banks said they would be notifying clients who were impacted by the breach and recommended customers check their accounts for suspicious activity. They have also said they are offering free credit monitoring for customers and will be enhancing their security measures.
“Everyone knows there are daily, massive cyber security attacks and of course, the banks would be ideal targets for these individuals,” Cavoukian said. “I don’t know why they would be resorting to it now, enhancing their security measures. They should have done it at the beginning.”
One BMO customer, named Tobin, said he also received an email from the bank telling him to take precautions.
“They just sent me an email telling me to take precautions on my security measures, change your pins, change your credit cards and watch my accounts for the next couple of weeks,” he said. “I’m a little concerned by it all, everyone should be, but I’m not sure if I have anything to worry about yet until I go in and talk to the bank personally.”
-With files from Canadian Press