BMO and Simplii Financial, which is CIBC’s direct banking brand, warned of a possible client data breach on Monday.
BMO said “fraudsters” contacted it on Sunday, May 27, claiming to have gained access to the personal and financial information of “a limited number of customers.” The bank said it believes the attack originated from outside the country.
The warning from BMO follows a similar alert from Simplii, which said fraudsters may have electronically accessed data from 40,000 client accounts.
READ MORE: Attack on Canadian banks: BMO, CIBC’s Simplii warn of similar possible client data breach
Canadians who claim to be Simplii customers report fraudulent e-transfer withdrawals
Neither bank has confirmed whether customers suffered financial losses as a result of the potential attack. However, several social media users who claim to be Simplii clients reported online that their accounts were hacked and money stolen over the weekend. Global News reached out to a few of them but has not been able to verify whether that alleged fraudulent activity is linked to the broader potential attacked flagged by the bank.
READ MORE: CIBC sees bumpy transition of PC Financial accounts to Simplii
Jennifer Gaudet, in Ottawa, said a total of $2,899 was taken out of her account without her knowledge over the weekend through two Interac e-transfers. The alleged withdrawal was just under her $3,000 limit for electronic transfers, she noted.
“I have a home insurance coming up tomorrow,” Gaudet told Global News, adding that she had been frantically trying to set up an alternate payment system with her insurer so that her bills would not go unpaid.
Gaudet said she started suspecting fraud when she wasn’t able to log into her bank account on Saturday and noticed her security questions had been changed. When she called Simplii to flag the issue, however, she claims she was simply offered a password reset.
On Sunday, however, she was reportedly once again locked out of her account. And once again Simplii offered to reset her password, she said. It wasn’t until Gaudet expressed concern about suspicious activity that she was told someone had transferred $2,889 out of her account, she told Global News. Although the transfer went to one of Gaudet’s pre-approved Interac recipients, someone had changed that recipient’s email, she added. A previous illicit transfer had withdrawn $10, she also said.
READ MORE: GDPR is the EU data privacy and protection law that could change the Internet — even for Canadians
Gaudet said Simplii put a stop order on the transactions, but that the money hasn’t made it back into her account yet. She also added that the bank never proactively contacted her about the transfers and that she’s been told it could take seven to 10 days to receive a reimbursement.
Global News spoke to two other alleged Simplii customers who described similar fraudulent activity.
Jeff Steinman in Kitchener, Ont., said he lost access to his online banking account on Saturday, when Simplii alerted him of unusual activity and froze his bank card. He later found out of several unauthorized e-transfers between his account and that of one of his existing Interac payees, he told Global News.
Steinman said he’s out several hundreds of dollars but has been told he’ll receive a reimbursement in one to two business days.
READ MORE: Not just Facebook: How retailers and the payments industry can track, profile you
Another man said fraudsters recently took $660 out of his chequing account via a Interac. Global News is seeking more information on this alleged illicit transfer.
Several social media users said that they had been told they would receive a refund within up to two business days. While some said they had already been made whole.
CIBC and Simplii did not respond to repeated requests for comment about the possible data hack and alleged client reports of fraudulent e-transfers.
Global News did not see any reports of BMO bank clients reporting suspect activity over the weekend.
READ MORE: Can you trust your bank? Here’s what to watch for based on a new financial watchdog report
Additional security measures
Simplii said it has implemented additional online security measures as it continues to investigate. The changes include enhanced online fraud monitoring and online banking security measures.
BMO said it is “confident” that “exposures identified related to customer data have been closed off.”
Both banks said they are reaching out to clients and advised those who notice any unusual activity to get in touch.
A message appearing on the Simplii app on Monday says that “fraudsters may send messages asking for personal information.” The bank said to send any suspicious correspondence to fraud@simplii.com.
There is no indication that clients who bank through CIBC have been affected, the bank said.
With files from the Canadian Press
Comments