Quebec-based credit union federation learned of data breach from police
Apparent attempts to extort two major Canadian banks highlight the increasing threat and variety of cyberattacks against major companies.
Attacks against BMO and CIBC-owned Simplii _ that compromised the information of up to a combined 90,000 Canadians _ made public Monday, appear to be the latest in a number of high-profile ransom attacks. The attacks have the banks in damage control mode, prompting them to assuage client concern about the safety of Canadian accounts.
CBC reported that it received a letter from someone who said they demanded a $1-million ransom from the targeted banks.
The banks would not confirm the CBC report Tuesday. BMO said only that a `”threat” was made, but it has a policy of not making payments to fraudsters, while Simplii was similarly cryptic, saying only that fraudsters may have electronically accessed some data, but that its practice is not to pay ransom demands.
Both banks said they both took additional security measures after learning of the potential breach and would be directly contacting customers whose accounts may have been compromised. Royal Bank, Scotiabank and Toronto-Dominion Bank have said they have no indication they have been affected.
The apparent extortion attempt against BMO and CIBC’s direct-banking brand Simplii comes after a string of other high-profile pay-for-data attempts.
Recent examples include a failed attempt at Uber to pay off hackers _ only for the company to later reveal that some 815,000 Canadians had their information compromised as part of a global attack, and the infamous cyberattack on cheating website Ashley Madison, which did not comply with hackers’ demands to close the website, resulting in the exposure of personal information of millions of users.
Smaller organizations are also falling victim to hacking payment scams, including the University of Calgary, which paid $20,000 to have its computer systems unlocked after a ransomware attack in 2016.
The risks are clearly on the rise, said cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada.
“In terms of cyber incidents overall, whether it’s breaches, whether it’s these sorts of attacks, whether it’s standard ransomware, that’s skyrocketing.”
However, the incident involving BMO and Simplii varies from more standard efforts to either use the data itself to profit or to try and sell it to third parties _ which makes it harder for companies to set up defensive plans, said Kabilan.
“Understanding tactics actually gives us an advantage in terms of defending ourselves, but if those are constantly varying, it starts putting up a few more challenges.”
Companies, especially banks, need to keep improving security efforts but also plan for resiliency and being able to respond in the event of an attack, he said.
“Companies have to wake up to the fact that there is no such thing as 100 per cent security in the cyber world. It’s a question of when and how bad.”
BMO and Simplii did the right thing in being quick to assure customers that their money is safe and that they’re working diligently to improve security, said Barry Waite, chair of the communications department at Centennial College.
Both banks said they’d directly reach out to affected customers and are co-ordinating with officials to respond to the incident and protect clients.
Demonstrating the safety of banking services will become increasingly important as they roll out more digital products, said Waite.
“This is important for the whole banking industry, demonstrating that as they increase technology, they’re introducing new apps, that they have the best security in place.”
The whole banking sector is looking to improve digital security in light of such threats, Scotiabank CFO Sean McGuckin said on a media conference call discussing its quarterly results.
“There’s a very open dialogue amongst financial institutions around cyber threats. So we are all quite open and learning and sharing from each other.”
Two of Canada’s biggest banks warned Monday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.
The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.
“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster,” said spokesman Paul Gammal in an emailed statement Monday, May 28, 2018.
“A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers,” he said.
The bank said it believes the attack originated outside Canada, but did not elaborate on the type of data they accessed.
Gammal said the bank is conducting a thorough investigation and is working with the relevant authorities.
The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.
Simplii said Monday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.
Gammal said the potential breach at BMO appears to be related to the CIBC issue. Royal Bank, Scotiabank and Toronto-Dominion Bank said they have no indication they were affected.
Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.
“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.
Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.
“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”
The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.
“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.
“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”
Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.
CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.
The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.
Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.
In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.
New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.
The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.
By David Paddon
THE CANADIAN PRESS
Media reports put the number at about 100,000 but RCMP spokeswoman Stephanie Dumoulin, at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner said that they couldn’t disclose details.
“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.
Bell Canada’s representatives have alerted customers who were affected, but didn’t answer questions about how many customers were impacted, when the breach occurred, or if the data release was related to an earlier breach last year.
Bell also told customers that additional security, authentication and identification requirements have been implemented.
“When discussing your account with our service representatives, you will be asked for this additional information to verify your identity,” its emailed notice to customers said.
Katy Anderson, a Calgary-based digital rights advocate with OpenMedia, said she’s glad Bell is implementing additional security checks.
“However, this is the second time the company has been hit by hackers in eight months,” Anderson said in a phone interview.
Bell Canada revealed in May that an anonymous hacker had obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.
Anderson said that the public should realize that centralized data is vulnerable, by its nature.
“When a breach like this happens, which we’re seeing more and more, it’s always a good reminder to change your passwords, update your security questions with things only you would know, and consider using a password manager,” Anderson said.
Bell’s latest data breach follows several other high-profile hacks, including at credit monitoring company Equifax and car-hailing service Uber, though those companies did not immediately disclose the breaches.
The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.
But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.
While there are no guarantees as to which communications will ultimately be protected by privilege, a company can increase its odds of creating a sphere of privilege-protected communications in the aftermath of a data breach by giving consideration to such issues in structuring its internal investigations.
Below we highlight lessons learned from the decision of the United States District Court for the District of Minnesota following the much publicized December 2013 data breach involving Target Corporation (Target).
Following its data breach, Target initiated a two-track investigation.
On one track, Target set up an ordinary course internal investigation aimed at determining how the breach occurred and how Target and the credit card brands could respond to it. A team from Verizon Business Network Services (Verizon) was retained to assist with this investigation.
On another track, Target’s external counsel retained a separate team at Verizon to investigate and educate external counsel about the breach so as to “enable counsel to provide legal advice to Target, including legal advice in anticipation of litigation and regulatory enquiries.” As part of this track, Target also struck a task force to assist external counsel.
Plaintiffs’ counsel sought records relating to both tracks of the investigation, arguing that everything should be producible because Target needed to undertake an investigation even if there had been no lawsuit.
THE COURT’S DECISION
Target was by and large successful. The court found that the documents relating to the second track investigation, including Verizon’s work product, were privileged. It found that these investigations were not focused on remediation of the breach, but on informing Target’s counsel about the breach so that Target’s lawyers could provide the company with legal advice and defend the company in pending litigation.
The only documents the court required to be produced were certain emails from Target’s CEO to the board of directors that provided an update on Target’s response from a business perspective.
Where a post-breach investigation involves employees, contractors or other third parties, Ontario courts are likely to consider privilege using similar factors as the court in Target. In particular, to assess whether solicitor-client privilege extends to communications between counsel and third parties, Ontario courts are likely to consider whether the third party’s role was to educate counsel and facilitate legal advice. With regards to litigation privilege, Ontario courts are likely to consider whether the communications at issue were prepared for the dominant purpose of existing or anticipated litigation, or as part of a normal course investigation.
With this in mind, a company can increase its odds of preserving a sphere of privileged communications by taking the following steps:
- Create a work stream designed specifically for the purpose of obtaining legal advice
- Have internal and external legal counsel involved in the direction and execution of that work stream
- Have third-party contractors retained by external counsel for the specific purpose of assisting in the litigation.
While taking such steps will not guarantee privilege protection, a thoughtful and deliberate work plan increases the odds.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
By Colin Perkel
THE CANADIAN PRESS
TORONTO _ Two gamblers who allege their privacy was breached are spearheading a proposed class action against an Ontario casino whose databases were hacked.
In a notice of action, they also alleged Monday that Casino Rama, north of Toronto, unjustly enriched itself at the expense of the claimants.
In the allegations contained in the notice, Leonid Kaplan, of Barrie, Ont., says he provided casino staff with copies of his driver’s licence and credit card when he went there to gamble in September.
Kaplan says he received an email by the CEO of Casino Rama, John Drake, on November 10 with the subject line: “Unauthorized Access to Personal Information.”
The email stated that the organization had been the “victim of a cyberattack that resulted in the theft of past and present patron, employee and vendor information.”
The casino publicly confirmed the attack last week but did not say exactly when it occurred or over what period.
The other proposed representative plaintiff, Cheryl Mizzi, of Stouffville, Ont., says she and her husband regularly went to Casino Rama starting in 1999. They last visited in 2015. She, too, provided various forms of identification.
Neither proposed plaintiff have said what losses, if any, they incurred as a result of the privacy breach.
The lawsuit also names Ontario’s gaming commission, the Penn National Gaming and its Ontario subsidiary, which run the casino, and the Chippewas of Rama First Nation where the facility is located.
The suit, which has yet to be certified as a class action or tested in court, seeks $50 million in damages as well as another $10 million in punitive damages.
Lawyer Ted Charney said Monday the “unjust enrichment” claim arises from the casino generating revenues from gambling when customers thought reasonable security measures were in place to protect privacy.
“The casino elected not to invest in adequate staff and technology while collecting gambling revenues, promising to provide adequate security measures,” Charney said.
The suit also alleges the defendants breached contracts and violated consumer laws.
A Casino Rama spokeswoman did not address the allegations, but said Monday the organization was working with the authorities on the ongoing investigation.
“We are limited in how much detail we can provide,” Jenna Hunter said. “We deeply regret this situation and recognize the seriousness of the issue.”
Casino Rama Resort warned its customers, vendors as well as current and former staff last Thursday to keep an eye on their bank accounts, credit cards and other financial information.
The casino said it had “recently” discovered becoming the victim of a cyberattack that resulted in the large-scale data theft.
“The hacker claims that the employee information dates from 2004 to 2016, and that some of the other categories of information taken date back to 2007,” the casino said in a statement.
The resort, which has 2,500 slot machines and more than 110 gaming tables, said the games themselves weren’t hacked.
Located on Rama First Nation, the casino opened 20 years ago.