According to a CBC News report Tuesday, the two banks hit by the breach, Bank of Montreal and CIBC’s online bank Simplii Financial, have said that the personal information of a total of 90,000 account holders had been taken – including identifying data such as names, account numbers, passwords.
The thieves even claimed to have obtained security questions and answers, social insurance numbers and account balances, the report says.
An email sent by the hackers – reportedly from Russia – demanded a ransom of $1 million in XRP, a cryptocurrency developed by blockchain payments startup Ripple, saying they would release the data if it wasn’t paid before the close of May 28. It is not clear if the $1 million demand was expected to be paid in a U.S. or Canadian dollar equivalent.
As proof that the breaches did indeed obtain the claimed customer data, the hackers provided information on one customer from each of the two banks.
Hackers who stole information on thousands of Canadian bank users have demanded $1 million-worth of the cryptocurrency XRP to not release the data trove.
The email further explained that the hackers had used an algorithm to create account numbers, which had then been used to pose as genuine account holders and get the related security questions reset by the banks. Security measures at the institutions also came under fire, with the message stating:
“They were giving too much permission to half-authenticated account which enabled us to grab all these information. … The bank was not checking if a password was valid until the security question were input correctly.”
CBC News said it had contacted both banks over whether any ransom had been paid. “Our practice is not to make payments to fraudsters,” Bank of Montreal reportedly said, while Simplii did not directly answer the question.