How hackers stole data on 113,000 customers from a Canadian bank.
Welcome to Cyber Security Today. It’s Wednesday, December 29th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Before the year ends I want to tell you about a segment in the Privacy Commissioner of Canada’s recent annual report. It’s an examination of a data breach discovered in 2018 at one of Canada’s biggest financial institutions, the Bank of Montreal. Information on 113,000 customers was copied by crooks in two waves. There are a lot of lessons for IT professionals.
Canadian banks are thought to be among the most cyber-aware institutions in the country, in part because of the money they spend on security. But the report shows that effort, not just money, counts.
Between June 2017 and January 2018, a vulnerability in the bank’s in-house online banking application allowed attackers to breach security safeguards, take over individual online accounts and collect personal information of customers. The exact vulnerability isn’t detailed.
The data theft occurred in two waves. In the first data was copied on 36,000 accounts. In the second wave data on 76,000 accounts was copied. Only then did the bank become aware of a vulnerability. But it didn’t know how big the breach was until May 2018, when it received a ransom letter from an attacker.
According to a news report, the demand was for $1 million or customer names and information would be publicly released.
CIBC’s Simplii Financial online bank was hit around the same time.
The Bank of Montreal attackers got customers’ contact details as well as their banking history. The social insurance numbers and dates of birth of more than half of the 113,000 customers were also compromised. After the bank refused to pay a ransom the attackers posted the personal information of more than 3,000 customers on various public websites.
The privacy commissioner’s report noted that with proper application and network monitoring the first wave of data thefts would have been detected. In fact the bank didn’t have a way of addressing automated attacks by bots, which left it vulnerable to the second wave of attack.
In addition, investigators found application developers didn’t do adequate software security testing and evaluation. That resulted in an online banking application being deployed with a critical, high-risk vulnerability for six months — and the impact to customers’ personal information was unknown for a further six months.
During the investigation the bank tightened its security policies and procedures.
One more thing: The Bank of Montreal had to pay out at least $12 million to settle a class-action lawsuit by victims.
A programming note: Because of the holiday there will be no Cyber Security Today podcasts this Friday. So the next time you’ll hear from me will be Monday, January 3rd. Until then, have a great holiday.