Bank of Montreal (BMO) and CIBC say up to 90,000 Accounts May be Affected
In late May, two Canadian banks revealed that they may have been hacked. Stories of cyberhacking are unfortunately common place these days but we still take notice when a bank is hit.
Banks have a responsibility to safeguard our money. Once upon a time, that meant locking it all up in a giant vault. Remember the old Bonnie and Clyde movies? If you wanted to rob a bank you went in guns blazing and with sticks of dynamite. Today cyberhackers can do far more damage and all it takes is a few keystrokes.
Banks do a better job than most businesses in maintaining good firewalls and keeping customer data safe from attack. Like the federal government has discovered, however, no one is ever completely safe.
Two weeks ago, I attended the Certified Fraud Examiners conference in Las Vegas. Many of the folks there are employed by banks and other financial institutions. One security professional told me a story about their success in fighting off daily hacking attempts.
His efforts were all for naught, however. A hacker simply just dropped a bunch of infected thumb drives outside one of the company’s offices. The unsophisticated trick worked. An employee picked up one of the drives and plugged it into his computer simply because he couldn’t contain his curiosity. The company was hacked.
In May, the Canadian Imperial Bank of Commerce (CIBC) disclosed that hackers claimed to have accessed 40,000 customer records. Although banks usually disclose very few details about cybersecurity breaches, they did notify the affected customers.
Bank of Montreal (BMO) also disclosed being contacted by hackers. Apparently less than 50,000 customers were affected. The bank has 8 million customers in Canada alone.
Canadian Banks and United States Whistleblower Awards
Many are probably wondering why the United States would care about hacking attempts involving Canadian banks. The answer is simple, both banks have many U.S. customers.
In the United States, Bank of Montreal operates as BMO Harris. BMO has 600 branches in the United States over 14,000 employees here. That means millions of U.S. customers.
Accounts in the United States are insured by the FDIC. These foreign banks are also typically regulated by the Office of the Comptroller of the Currency (OCC) and the Federal Reserve. A Canadian bank operating in the United States must also follow U.S. laws. And the three big bank regulators – OCC, Federal Reserve and the FDIC – all require stringent cyber security measures.
We aren’t claiming that BMO or CIBC failed to follow those regulations. Cyberhacking and cybersecurity is an ever evolving field. We understand that as quick as security professionals uncover one scheme, hackers invent another.
According to ccn.com, the hackers reportedly demanded $1 million . If BMO didn’t pay, the hackers threatened to publish the information on the dark web.
An email from the hackers reportedly contained actual account data so that the bank could verify that the threats were real. “These … profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don’t get the payment before May 28 2018 11:59PM.”
The email claimed that BMO and CIBC had sub-par security. “They were giving too much permission to half-authenticated account which enabled us to grab all these information… [the system] was not checking if a password was valid until the security question were input correctly.”
The email allegedly came from Russia. The hackers demanded payment in cryptocurrency.
Obviously, we don’t know whether either bank truly had “sub-par” security. We do believe, however, that if a bank has a widespread cyber security breach or fails to follow cybersecurity measures, there could be a violation of FIRREA. Mere negligence is probably not enough but a bank that doesn’t do enough to maintain security or covers up a breach or lies to regulators about their compliance could trigger a prosecution.
FIRREA – short for the Financial Institutions Reform Recovery and Enforcement Act – has become the Justice Department’s favorite tool for going after misbehaving banks.
When originally passed by Congress in 1989, the law was used to prosecute bank officers and outsiders who pilfered savings and loan and caused hundreds of banks to fail. Today the law has expanded to cover a bank’s own misconduct.
Postscript – Banks and law enforcement rarely comment much on cyberhacking incidents. Bank of Montreal, however, said in a release that it wasn’t going to pay. In recent incidents we have seen hospitals, banks and retailers successfully hacked. Many pay but others like BMO believe it is better to send a strong message to hackers.
Inside Knowledge about Bank Fraud? See if You Qualify for a Whistleblower Award
To qualify for a FIRREA award, one needs original source information about the wrongdoing. That means customers whose data was leaked probably don’t qualify. But bank insiders do qualify.
Despite billions of dollars in cyberhacking losses, many companies still don’t take cybersecurity seriously. We hear horror stories weekly from concerned insiders who are tired of being ignored.
If you have inside information about wrongdoing by a bank, give us a call. We can help you determine if the Justice Department or bank regulators are interested in your information. Credit unions qualify as well – the NCUA has their own cybersecurity regulations.
It doesn’t matter if the bank is based here or offshore or whether you are a US resident or not. The bank does have to be subject to US jurisdiction, however. That usually occurs when there are accounts or branches in the United States.
Rewards are based as a percentage of any fines or recovery. Rewards cap at $1.6 million and maximum rewards are common.
For more information, visit our FIRREA bank whistleblower page. Ready to find out today if you may be entitled to a reward? Contact us online, by email at or by phone . All inquiries are strictly confidential and protected by the attorney – client privilege.
MahanyLaw – America’s Bank Whistleblower Lawyers