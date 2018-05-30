CIBC and BMO are scrambling to reassure clients in the wake of an extortion attempt by cybercriminals involving the financial information of tens of thousands of Canadians. The security lapse calls into question the diligence of two of the nation’s largest financial institutions, according to a leading voice on cybersecurity.

Former Ontario Information and Privacy Commissioner Ann Cavoukian said she was baffled by the promises to shore up security issued by the two banks after it was revealed on Monday that “fraudsters” accessed data now believed to belong to as many as 90,000 clients.

“They should have been doing that from the beginning,” she told CTV News Channel on Wednesday. “I expected them to have the highest level of protection possible, and clearly they didn’t.”

CIBC's direct banking brand Simplii Financial and BMO said they learned of the potential breach on Sunday. Media outlets received a letter via email on Monday from someone demanding $1 million from the two banks by midnight in order to prevent the online sale of the stolen trove of data.

In a series of tweets on Wednesday, Simplii said a dedicated team is working to “make this right,” and those whose accounts have been frozen online can continue to use ATMs and receive cash back at point of sale terminals.

BMO said on Tuesday that it is offering free credit monitoring, and will block online and mobile access to the accounts of those affected, which the bank believes is fewer than 50,000 clients.

Both banks have committed to returning 100 per cent of any money lost as a result of the breach.

Cavoukian said she concedes that there is no such thing as “zero risk” when it comes to data protection, but is still shocked that institutions with the resources of Canada’s big banks may have been bested by hackers.

“Everyone knows that there are daily massive cyberattacks. Everybody knows the banks would be the ideal target for these individuals,” she said. “It’s point, counter-point, much like a chess game. But why wouldn’t the banks have their own hackers to be able to identify (problems)?”

Cavoukian warned that missing funds are not the only risk for BMO and Simplii clients.

“These hackers not only have access to your finances, but to your social insurance number, your date of birth, your name, your address. They can assume your identity,” she said. “Be wary of identity theft. That would be my concern.”

