Bank of Montreal and Canadian Imperial Bank of Commerce said Tuesday that cyber attackers may have stolen the data of nearly 90,000 customers in what appeared to be the first significant assault on financial institutions in the country.
Bank of Montreal, Canada’s fourth biggest lender, said it was contacted by fraudsters who claimed they were in possession of the personal and financial information of a limited number of the bank’s customers.
A spokesman for the bank said it believed that less than 50,000 of the bank’s 8 million customers across Canada were hacked. He declined to say whether any customers lost money as a result of the attack.
The fraudsters had threatened to make the data public, the spokesman said, adding that the bank was working with the authorities and conducting a thorough investigation.
Bank of Montreal said it believed the attack originated from outside the country and was confident the exposures that led to the theft of customer data had been closed off.
Canadian Imperial Bank of Commerce, Canada’s fifth biggest lender, said fraudsters contacted the lender on Sunday claiming they had electronically stolen personal and account information of 40,000 customers of its Simplii direct banking brand.
CIBC said it has not yet confirmed the cyber breach but is taking the claim seriously. CIBC said customers at its main banking division were not affected.
Both banks said they were contacting customers and advising them to monitor their accounts and report any suspicious activity.
Other Canadian banks said they had not been affected.
Shares in BMO were down 0.3 percent and CIBC was off 0.3 percent.
Canada’s six biggest banks have been collaborating along with the Bank of Canada to enhance their defenses against cyber attacks. The Bank of Canada said earlier this month that some attacks would inevitably succeed but it has recovery mechanisms in place to limit the damage.
Cyber attacks are increasingly common. Last year, credit monitoring firm Equifax said information on about 146.6 million names, 146.6 million dates of birth, 145.5 million U.S. social security numbers, 99 million addresses and 209,000 payment card numbers and expiration dates, were stolen in a cyber attack.