Canadian banks hacked…what can consumers do in such a situation

June 1, 2018

Canadian banks hacked…what can consumers do in such a situation

You see it in the headlines (like this) when it happens to someone else, or in this case 90,000 other people. You never think it will happen to you. What happens when your personal data is compromised? What can you do to protect yourself-your identity?

Surely many of these consumers are wondering what they should do now! How can they (and you) protect their identity?

Putting it in context…in the news this week

At the beginning of the week two Canadian banks, Bank of Montreal (BMO) and Simplii Financial owned by Canadian Imperial Bank of Commerce (CIBC), informed their customers that their personal data may have been compromised.

A combined 90,000 customers across both banks were thought to have been affected by hackers gaining access to their personal and account information.

It’s thought that the same hackers are responsible for both attacks and it’s suspected that the attack vector used was spear-phishing-a purposely targeted rather than random attack.

BMO believes the fraudsters have been operating outside Canada.

CIBC, the first to warn their customers on Monday morning confirmed that it received a tip over the weekend that hackers had obtained the data and after undertaking a preliminary investigation they decided it was necessary to go public with the attack.

Not long after, BMO revealed that it had also received a tip that they had been hacked and that their customers’ data had been stolen. Strangely, the hackers were the ones to highlight the attack.

Those claiming to have the stolen data communicated to media channels throughout Canada, threatening to sell the information if the banks failed to pay the ransom of $1-million. They also included a sample of the information in question: the names, dates of birth, SIN and account balances of an Ontario man and a woman living in B.C.

The woman later confirmed that the information in the communication relating to her, which also included the answers to her three security questions, was accurate.

A further customer confirmed that $980 was fraudulently transferred from his Simplii Financial account. He stated, “My biggest concern is around my personal information in someone else’s hands.”

The thieves claimed to have accessed information including names, account numbers, passwords, security questions and answers, social insurance numbers and account balances, by exploiting weaknesses in the banks’ security systems.

Both banks acted fast to inform their customers of the breach and potential compromise of their personal information and have offered necessary guidance and support. Informing them to be alert and assuring them that any money that is stolen will be returned.

BMO is working with the authorities and contacting those who may have been affected. BMO has advised customers to keep track of their account activity and keep an eye out for anything suspicious.

Simplii Financial is also examining the claims and has reached out to customers, urging them to observe their accounts and use a complex password and PIN combination on their accounts.

Now what…what if it were you? What should you do?

In a situation like this, where you have been made aware of the breach, the likelihood is that you have an understanding of the type of data that has been exposed. As in this case, there is mention (and confirmation by a customer) of the type of data that has been stolen.

It’s important to take a bird’s-eye view of the situation. Think of the varied scenarios where the data could be used separately or combined. Don’t be complacent about it. It’s important to take action.

Remain vigilant as a lot of the time you may not notice immediate anomalies. It may happen months or even years later, so remain cautious and remember that if your data has been breached, it is out there and can potentially be used maliciously at any time.

Steps to take to help take back control

Follow data breach incidents

Follow them like you follow the news or the weather! Get into the habit of staying up to date with breach activity and cybercrime and the evolution of new attacks. At least once a week, research the breach incidences and stay on top of what is going on. This way you can be quickly alerted if something is amiss in your own accounts.

Pinpoint what’s been stolen

Find out what data was compromised in the breach (if you have not been informed of the details, find out!). A lot of the time, a single piece of information will not cause as much impact, but the combination of personal details increases the risk substantially. With a combination of stolen details like an email address, date of birth, bank card details, Social Security number, insurance number and passwords, a lot more damage can be done. With a name and Social Security number (for example), it’s possible someone can pose as you.

Change all your passwords

If an account is compromised, change the password as soon as you become aware. Additionally, change the passwords of other accounts, as it’s common practice that people use the same password for multiple accounts, even though this is not good practice. Ideally, you want to use different complex passwords and even 2FA whenever possible for each account.

Know the state of your money affairs

Most of us get our bank statements online and do not look at them as often as we should. Study them on a regular basis so that you can pick up on any fraudulent activity and take the necessary actions. You may be able to set up alerts, so whenever your card is used you are notified. It’s important to have a good idea of the transactions and the money coming in and leaving your accounts.

Contact relevant financial establishments

If you suspect that your account information has been compromised or you notice strange activity on your account, contact your bank as soon as you are aware. This way they can see if fraudulent activity has occurred and actions can be taken to protect your account.

Credit rating and reports

Consider using fraud alerts. These will make it harder for an identity thief to open an account in your name as verification will be required. Review your credit report/rating on a regular basis.

Consumer awareness is vital

Given the current business environment, the number of data breaches being reported daily and the impact identity theft has on consumers it’s very important to educate people about attacks such as these and improve awareness of the impacts of such crimes.

Research has shown that majority of consumers do not know how it is even possible for criminals to compromise their identities online let alone what they should do post-identity theft.

Knowing the risk and the vast impact of such crimes, it’s difficult to comprehend why so many don’t take these incidents, data protection and privacy more seriously.

Consumers need to know what to do and have a plan to action when a situation such as this unfolds. Especially since these breaches continue to happen and data, inexcusably, continues to be unprotected.