Canadian Bank Hackers Demand $1 Million In XRP

Crime, News | May 31, 2018 By:

Hackers who claimed they were in possession of the personal information of tens of thousands of customers from two Canadian banks are threatening to make it public unless the lenders pay $1 million-worth of the cryptocurrency XRP.

On Tuesday, Bank of Montreal and online bank Simplii Financial, a subsidiary of CIBC, revealed that they learned over the weekend that the personal information of a combined 90,000 different account holders at the two banks was stolen. Stolen information included names, account numbers, passwords, security questions and answers, and even social insurance numbers and account balances.

The banks said they received emails from the hackers threatening to sell the information to “criminals” if it wasn’t paid before the close of May 28.

“We warned BMO and Simplii that we would share their customers informations if they don’t cooperate,” said the email, which appears to have been sent from Russia. “These … profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don’t get the payment before May 28 2018 11:59PM. Criminals will use Simplii and BMO client informations to apply for products credit using social insurance number, date of birth and all other personnal info.”

The hackers claim that they used an algorithm to generate account numbers, which allowed them to pose as genuine account holders who had simply forgotten their passwords.

“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said, adding that the system “was not checking if a password was valid until the security question were input correctly.”

The banks said they would be notifying clients who were impacted by the breach and recommended customers to check their accounts for suspicious activity. The banks are also offering free credit monitoring for customers and will be enhancing their security measures.

Ann Cavoukian, former information and privacy commissioner of Ontario, said that this data is exactly what a hacker needs to assume someone else’s identity. She added that identity theft is “a nightmare” and can take years to sort out.

“Everyone knows there are daily, massive cyber security attacks and of course, the banks would be ideal targets for these individuals,” Cavoukian said. “I don’t know why they would be resorting to it now, enhancing their security measures. They should have done it at the beginning.”