BMO and CIBC’s Simplii warn fraudsters may have accessed data of 40,000 clients

TORONTO – Two of Canada’s biggest banks are warning that “fraudsters” may have accessed certain personal and financial information from some customers.

The Bank of Montreal said fraudsters contacted the bank on Sunday claiming to be in possession of certain data for a “limited number of customers” and it believes the attack was originated outside of Canada.

A CIBC sign in Toronto’s financial district in downtown Toronto is shown on Thursday, Feb. 26, 2009. The Canadian Imperial Bank of Commerce is taking over President’s Choice Financial bank accounts with a new online brand as it responds to the continuing trend towards digital banking.THE CANADIAN PRESS/Nathan Denette

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” BMO Financial Group said in a statement on Monday.

The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.

Simplii said it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring.

Both banks say they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.

BMO and Simplii also said they are working with the relevant authorities.

“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.

Simplii adds that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach. In November, ride-sharing company Uber said hackers stole names, email addresses and mobile phone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.

New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1. The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible” – not within a specific time limit. Previously, companies which had been hacked had been alerting the public on their own timeline.