BMO said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.
CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.
Neither bank has confirmed whether customers suffered financial losses as a result of the potential attack. However, several social media users who claim to be Simplii clients reported online that their accounts were hacked and money stolen over the weekend.
Other Canadian banks, including Royal Bank, Scotiabank and Toronto-Dominion Bank, said there’s no indication they were affected.
Simplii said that there’s no indication CIBC customers were affected.
Here’s what Canadians who fear they could have been affected by the potential breaches should know.
Monitor activity on paper
Both affected banks said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.
This will aid the banks in figuring out if the breach actually happened, and what type of information was collected.
Simplii said to send any suspicious correspondence to firstname.lastname@example.org.
WATCH: BMO and CIBC online bank warn about possible cyber attacks
Joanne McNeish, an associate professor at Ryerson University’s Ted Rogers School of Management, advised that consumers should also keep track of activity using paper statements.
“Sophistication is getting quite good that people can manipulate your account in all kinds of ways, the advantage of paper is that you have a fixed record of what your activity was,” she said.
McNeish added that doesn’t mean people stop using online banking.
“I’m actually encouraging people to have a backup system, and possibly think about having one non-online account with one bank and an online bank account with another.”
Simplii also recommended users check their passwords to ensure they are strong.
McNeish said that it’s too late for consumers to update their passwords to protect against this hack, but they should do it as a regular practice.
WATCH: What you should do if your email gets hacked
She added that won’t necessarily protect consumers from wide-ranging data breaches, but it will make your argument to the bank more substantial.
“It will allow you to say to the bank, in your defence, ‘Well, I had a complex password, I had strong security questions.'”
Passwords should be complex, but never written down.
“If the bank discovers you’ve written it down, in fact, they will no longer compensate you,” McNeish explained.
What happens to any money lost?
Bank customers who are victims of fraud will receive 100 per cent of the money lost from the affected bank account, Simplii said Monday.
But McNeish explained this could take several months, and the onus would be on the customer to prove that money was unlawfully taken.
“They’re going to make each person defend themselves over a circumstance of which they had no control.”
WATCH: Hackers can exploit built-in speakers of smartphones and devices
That’s why McNeish said it’s even more important that consumers track their activity on paper, where it can’t be changed.
“By having other forms of the statement, like paper, you’re able to be more convincing with the bank that you, the customer, didn’t make the error.”
— With files from Global News reporter Erica Alini, The Canadian Press