Two Canadian banks warn attackers may have stolen customer data

Simplii Financial and Bank of Montreal are believed to have suffered a twin attack that was soon followed by blackmail threats

Simplii Financial and Bank of Montreal are believed to have suffered a twin attack that was soon followed by blackmail threats

Two Canadian banks have announced that cybercriminals may have made off with the data of up to 90,000 of the banks’ customers in apparent security breaches, according to a report.

Online bank Simplii Financial revealed on Monday that it had been tipped off on Sunday that attackers had accessed the personal and account information of 40,000 customers. Meanwhile, Reuters wrote that the fraudsters themselves contacted the lender, which has around two million customers and is a direct banking brand of Canadian Imperial Bank of Commerce (CIBC).

While not confirming the breach, Michael Martin, Senior Vice-President at Simplii Financial, said in a statement that the bank is taking the information seriously and that it has implemented measures to further enhance the bank’s monitoring and security procedures.

A few hours later, Bank of Montreal (BMO) announced that it had been contacted by fraudsters who claimed to be in possession of personal data belonging to BMO’s customers. It is thought that the information of up to 50,000 of the bank’s eight million customers were compromised.

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” said the bank.

The lender also said that the incident was followed by a threat to make the data public. “A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers,” reads BMO’s statement as quoted by CTV News.

The bank believes that the attack originated from outside the country and that it appears related to the incident at Simplii Financial.

Meanwhile, a number of media outlets in Canada also received emails on Monday in which someone who claimed to be in possession of the stolen information threatened to sell the data unless the banks forked out a $1-million ransom each “by 11:59 p.m.”.

“Criminals will use Simplii and BMO client information(s) to apply for products credit using social insurance number, date of birth and all other personnal info,” reads the imperfectly-phrased email as quoted by

The missive also contains a sample of personal data thought stolen that belong to a man from Ontario and a woman from British Columbia. When approached by, the woman affirmed that the information (name, date of birth, social insurance number, and account balance) as accurate.

Both BMO and Simplii Financial’s owner, CIBC, said that they have reached out to relevant authorities and that thorough investigations are under way. Canada’s fourth and fifth biggest lender, respectively, BMO and CIBC also said that they will be contacting customers and recommended that clients should monitor their accounts.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center