Bank Breaches reaffirm the importance of training your users on security awareness best practices.
Monday morning, May 28, CIBC warns customers that they have been targeted by hackers who have obtained the personal information of 40,000 clients.
Later that same day, BMO reveals that it, too, had received a tip that data, on up to 50,000 customers, was stolen.
Simplii Financial, owned by both CIBC and BMO, received a tip over the weekend that hackers have stolen the data, and are demanding a $1 million ransom. Investigators suspect that the fraudsters were the same group at both banks.
The attacks revealed Monday are unusual as the hackers themselves tipped off the bank. David Masson, Country Manager for Canada at cyber defense firm Darktrace, said that he suspects the attack was likely a “spear phishing” attack. A spear phishing attack is an email that is specifically targeted and personalized and appears to come from a known sender.
Security Awareness: A Top Priority
This news story highlights how security awareness training should be a top priority for companies of all sizes. Employees need to be made aware of the scams perpetrated by the many hackers and cybercriminals that scour the web searching for vulnerabilities – for example, the current bank breaches. The onslaught of phony phishing emails in recent years, such as the probable spear phishing email that opened the door for these CIBC and BMO hackers, should be a red flare reminding companies that employees need to be trained to recognize the signs of phishing in order to avoid becoming a victim. As the old saying goes “An ounce of prevention is worth a pound of cure!”
Data breaches are becoming more and more common. Keeping the dialogue on security awareness going helps lessen the chances of being victimized by a breach. Conducting periodic security awareness programs enables employees to gain knowledge, and to gather new techniques that are essential when facing possible security issues. The BMO and CIBC case demonstrates the importance of keeping the security conversation going to safeguard against these malicious cybercriminals. Periodic awareness training is a must since the weakest link in any company’s cybersecurity is the human factor. Organizations should make a point of routinely simulating hacking or phishing attacks to keep employees on their toes when it comes to the cybersecurity risks they might face each day.
Back to our News Story…
Cybercriminals distributed a letter to media outlets across Canada, threatening to sell the personal data if the ransom was not paid by 11:59 pm, that evening. The email ended with a sample of the information in question: the name, the date of birth, the social insurance number, and the account balance belonging to an Ontario resident.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, Senior Vice-President at Simplii Financial. “If a client is a victim of fraud because of this issue, we will return 100 percent of the money lost from the affected bank account.”
Investigations into the bank breaches are currently underway.