BMO and CIBC’s Simplii warn fraudsters may have accessed clients’ data

Two of Canada’s biggest banks warned Monday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.

The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.

“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster,” said spokesman Paul Gammal in an emailed statement Monday, May 28, 2018.

“A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers,” he said.

The bank said it believes the attack originated outside Canada, but did not elaborate on the type of data they accessed.

Gammal said the bank is conducting a thorough investigation and is working with the relevant authorities.

The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.

Simplii said Monday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.

Gammal said the potential breach at BMO appears to be related to the CIBC issue. Royal Bank, Scotiabank and Toronto-Dominion Bank said they have no indication they were affected.

Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.

“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.

Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.

“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”

The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.

“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.

“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”

Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.

In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.

New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.

International probe shuts down cyberattack provider

By Mike Corder

THE ASSOCIATED PRESS

THE HAGUE, Netherlands _ In a major hit against cybercriminals, an international police operation has taken down what investigators called the world’s biggest provider of potentially crippling Distributed Denial of Service attacks.

On Wednesday, police hailed the success of the operation Wednesday, saying that a joint investigation led by Dutch and British experts and supported by European Union police agency Europol led to the arrest on Tuesday of the administrators of the website webstresser.org.

Europol said webstresser.org had more than 136,000 registered users and racked up 4 million attacks on banks, governments, police forces and the gaming industry. Distributed Denial of Service, or DDoS, attacks attempt to make online services unavailable by overwhelming them with traffic from multiple sources.

“It used to be that in order to launch a DDoS attack, one had to be pretty well versed in internet technology,” Europol said in a statement. “That is no longer the case.”

The agency said that registered users could pay a fee of as little as 15 euros ($18) per month to rent its services and launch cyberattacks.

Administrators of the service were arrested Tuesday in Britain, Croatia, Canada and Serbia, Europol said. The illegal service was shut down and computers and other infrastructure seized in the Netherlands, the United States and Germany.

Croatian police said that a 19-year-old Croat, whom they described as the owner of webstresser.org, was detained on charges of “serious criminal acts against computer systems, programs and data” that carry a possible sentence of one to eight years in prison.

Gert Ras, head of the Dutch police’s High Tech Crime unit, said the operation should send a clear warning to users of websites like webstresser.

“Don’t do it,” Ras said. “By tracking down the DDoS service you use, we strip you of your anonymity, hand you a criminal record and put your victims in a position to claim back damages from you.”

Connected And Protected: Insuring Your Business Against Cyber Breaches

Article by Imran Ahmad

It was not long ago that a company’s cybersecurity plan was centred around the IT department, keeping internal networks protected and staying alert to malware and virus threats. Now, the risks have evolved: as companies have moved to more cloud computing solutions, Software as a Service providers and internet-enabled systems, they face more exposure to both internal and external risks. If your company has not identified your potential risks and implemented a comprehensive risk mitigation strategy that includes cyber insurance, you could be facing expensive consequences.

Who Connects to You?

Does your company use outside providers for software services, such as cloud computing, data analytics, HR or payroll software? How does a data breach or software failure at their end affect your business? Are you responsible to your clients or customers for a breach of someone else’s system? Review your vendor contracts for these services to ensure that you are indemnified for a breach of their security. There should also be clear language in the contract about how and when they must inform you of any breach so that you can take appropriate action to protect your business and your clients.

What Connects to You?

The Internet is no longer just about connecting computers to one another and hosting websites. The Internet of Things (IoT) is expanding rapidly, and there may be connected devices used in your day-to-day operations that you are not even aware of. Security systems, climate controls, driver tracking and other business tools use connectivity that makes them potentially vulnerable to cyber attacks. Some IoT devices have built-in security measures that protect privacy, while others may create risks for your company. Assessing these risks should be part of your overall cybersecurity strategy. Using “privacy by design” principles and conducting privacy impact assessments (PIAs) and threat risk assessments (TRAs) can help with your overall risk assessment and risk mitigation strategy.

How Can You Protect Your Business?

Cyber insurance is an important tool that can help to transfer some of the risks associated with cybersecurity. The types of costs that can be mitigated through cyber insurance include:

  • Legal fees: This includes running investigations, sending out notifications of a breach and working with regulators.
  • Investigations and recovery: Understanding what happened and how to quickly get back to normal operations can be a costly process.
  • Crisis management: You may need to engage public relations experts and crisis management consultants to manage the company’s reputation in the wake of a cyber breach.

Of course, insurers are always looking to minimize the chances that they will need to pay out on a policy. In order to keep your premiums as low as possible, it’s important to understand and reduce your risk level. Insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security and confirm that you have included indemnity clauses. They will assess whether vulnerabilities in one IoT device will lead to vulnerabilities throughout your business and whether you have layers of technology or security in place to ensure that this cannot happen.

The insurers will use a questionnaire to make sure your risk profile is as low as possible so that you can get the best possible premiums. Have you implemented comprehensive pre-breach risk mitigation strategies that include board coaching, employee training, vendor contract management and cloud security? The more you can do to prevent a breach, the lower your cyber insurance premiums will be.

If you’re unsure where to begin, the cybersecurity team at Miller Thomson can help you to understand where your business may be exposed to cybersecurity risks and how to improve security and prevent breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Chubb Launches Proprietary Online Cyber Risk Index

Chubb, a leader in cyber risk assessment and underwriting, has launched its Chubb Cyber IndexSM, a new interactive platform that showcases nearly two decades worth of Chubb’s proprietary commercial cyber claims data. The Index is designed to highlight a range of cyber threats based on an organization’s industry and size.

“We’re thrilled to offer businesses throughout North America this interactive capability to provide insight into real threats facing them on a daily basis,” said Bill Stewart, Division President of Chubb’s Global Cyber Risk practice. “The first step to protecting a business from a cyber attack is staying aware of what threats are most prominent to a company’s size and industry. Our Cyber Index will help users to better understand their exposures and manage risk before a cyber incident occurs.”

The innovative Index provides users with a simple and immediate means of identifying the leading cyber risks their business may face based on real-world examples of cyber attacks and data breaches. With a user-friendly interface, accessible via desktop or mobile device, users are able to set parameters unique to their company, and view historical trends based on type of threat, size of a company and which industry that company operates within.

“Chubb has nearly two decades of cyber claims data, which enables us to help clients gain insight into the types of events affecting their industries,” said Michael Tanenbaum, Executive Vice President, Chubb.  “That insight has helped us to monitor the evolution of the marketplace and understand various threats and how they impact different businesses, based on their profile.”

Along with delivering key intelligence to businesses of all sizes, the Index will be updated biweekly, and ultimately will deliver real-time data.

“As cyber risks evolve, Chubb will continue to focus and respond to the environment by its strong commitment to the industry and by providing best-in-class solutions to clients,” said Mr. Tanenbaum.  “In the meantime, organizations of all sizes need to proactively assess current procedures in place to mitigate the risk from potential cyber-attacks, and ensure that their cyber insurance policy is structured to addresses any gaps.”

The Index is free to access and can be used at http://www.chubb.com/cybermedia.

About Chubb:
Chubb is the world’s largest publicly traded property and casualty insurance company, and the largest commercial insurer in the United States. With operations in 54 countries and territories, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients. As an underwriting company, we assess, assume and manage risk with insight and discipline. We service and pay our claims fairly and promptly. The company is also defined by its extensive product and service offerings, broad distribution capabilities, exceptional financial strength and local operations globally. Parent company Chubb Limited is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index. Chubb maintains executive offices in Zurich, New York, London and other locations, and employs approximately 31,000 people worldwide. Additional information can be found at: chubb.com.

SOURCE Chubb

Cyber Cross-Jurisdictional Risks And The Impact Of GDPR: Europe

Article by Henning Schaloske, Kathrin Feldmann and Amrei Zürn

Companies that become a target of a cyber-attack may face global impacts. Cyber-attacks often cause cross-border and thus cross-jurisdictional data breaches as, for example, data is often stolen or illegally published from a company’s subsidiary in a different country.

An issue in such events is that each jurisdiction has different requirements regarding the notification of authorities and the subjects of the data breach. Companies have to establish in how many countries a data breach occurred and if there are special notification requirements with respect to the data subject and the national authorities. Further, targets of cyber-attacks may face difficulties estimating the amount of fines and penalties and third party claims since the relevant provisions vary from one country to another. In addition, each jurisdiction imposes different requirements on risk management.

Within the European Union, these different approaches will be harmonised on 25 May 2018 when the General Data Protection Regulation (“GDPR”) comes into effect. As a regulation, the GDPR directly applies in each member state and does not need to be transposed into national law. The GDPR contains provisions regarding data breach notifications, data protection management systems, fines and penalties as well as third party claims. Even though these provisions are partially stricter than national regulations, the GDPR’s advantage is that companies, in general, only have to consider this data protection regulation instead of, potentially, 28 individual domestic data protection laws in all member states. However, with respect to non-EU member states, companies will still face various data protection provisions.

Cyber cross-jurisdictional risks not only occur in connection with data breaches. Internationally operating companies also face different regulations when it comes to general IT risk management and the prevention of cyber-attacks. In Germany, for example, pursuant to section 8a of the Act on the Federal Office for Information Security (“BSIG”), so called operators of critical infrastructure, such as energy, transportation or telecommunication companies as well as insurers, have to take organisational and technical measures to avoid errors of the availability, integrity, authenticity and confidentiality of their information technology systems, components and processes which are essential for the functionality of the operated critical infrastructures. Operators of such infrastructure have to prove that they are meeting these requirements to the German Federal Office for Information Security (“BSI”) every two years.

Since 3 November 2017, financial institutions have been obliged to meet special IT risk management requirements. The German Federal Financial Supervisory Authority (“BaFin”) published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, “BAIT”). The intention behind BAIT is to provide clarity for executive boards of banking institutions regarding the banking supervisors’ expectations with respect to a secure design of IT systems and the associated processes. These requirements form a core component of IT supervision in the banking sector in Germany. The financial institutions have to define a sustainable IT strategy outlining the institution’s objectives and measures to achieve these objectives. BAIT furthermore requires companies to put in place an information risk and information security management as well as a user access management. Similar regulatory requirements for insurance companies shall be published at the end of 2018.

Another significant cross-jurisdictional issue is the assessment of global litigation risks. It may be easier for a company to estimate its potential liability in a country like the United States where cyber cases have already been subject of legal proceedings than in other countries such as Germany where there is hardly any case law on cyber liability. What is more, companies cannot be certain whether or not cyber claims will be covered by a cyber policy. Since 2017, the German cyber market has grown significantly. However, German courts have not yet had to deal with cyber policies and it is difficult to predict how a German court would decide in a cyber coverage dispute. Thus, for insurers and their insureds alike, it is important to continuously improve legal certainty of the policy wordings as well as to understand, manage and allocate cyber risks appropriately between different types of cover, including, e.g., crime and general liability next to the cyber policies. Last but not least, in the international cyber breach scenario, the interplay of local and master policies brings along additional challenges, in particular in relation to non-admitted countries and the setup of well-functioning international insurance programmes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Bell Canada alert prompts RCMP, privacy watchdog to investigate data breach

By David Paddon

THE CANADIAN PRESS

TORONTO _ The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information.

Media reports put the number at about 100,000 but RCMP spokeswoman Stephanie Dumoulin, at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner said that they couldn’t disclose details.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.

Bell Canada’s representatives have alerted customers who were affected, but didn’t answer questions about how many customers were impacted, when the breach occurred, or if the data release was related to an earlier breach last year.

Bell also told customers that additional security, authentication and identification requirements have been implemented.

“When discussing your account with our service representatives, you will be asked for this additional information to verify your identity,” its emailed notice to customers said.

Katy Anderson, a Calgary-based digital rights advocate with OpenMedia, said she’s glad Bell is implementing additional security checks.

“However, this is the second time the company has been hit by hackers in eight months,” Anderson said in a phone interview.

Bell Canada revealed in May that an anonymous hacker had obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

Anderson said that the public should realize that centralized data is vulnerable, by its nature.

“When a breach like this happens, which we’re seeing more and more, it’s always a good reminder to change your passwords, update your security questions with things only you would know, and consider using a password manager,” Anderson said.

Bell’s latest data breach follows several other high-profile hacks, including at credit monitoring company Equifax and car-hailing service Uber, though those companies did not immediately disclose the breaches.

The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.

But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest