Two major Canadian banks, Bank of Montreal and Simplii Financial, have become victims of hacks that affected some 50,000 and 40,000 customers respectively. The banks were notified by the hackers themselves, who threatened to release the data publicly unless the banks paid a ransom of $1 million. Neither bank decided to pay the ransom by the hackers' May 28 deadline.
Even if the hackers were trustworthy and even if they were the only people who accessed the stolen data — both of which seem rather bold assumptions to make — it is not uncommon for stolen data to resurface years after an initial breach. In such cases, the regulator wouldn’t look too kindly on an attempt to cover up the breach, even less so if that involved a ransom payment.
According to CBC, Canada’s national broadcaster, which has seen some of the hacked data, the personal data included names, addresses, phone numbers, account numbers, birth dates and Social Insurance Numbers.
As Malwarebytes researcher Jérôme Segura, who analysed the attack, pointed out, most of these details cannot be changed, making the potential cost of abuse of the stolen data very high.
There does not appear to have been any money stolen from either of the banks’ customers, or from the banks themselves. This is obviously a good thing, but it is easy to forget that personal data also has an actual value — especially on the black market — and that the theft of such data could have a serious impact on the affected bank’s image.
Of course, for banks in the U.K. or elsewhere in the EU, there is another reason why the theft of personal data would be a reason for serious concern: the recently enforced General Data Protection Regulation (GDPR).
Given the high fines regulators can issue under the GDPR, a financial institution may be tempted to keep quiet about the breach and decide to pay the ransom. This would be a very bad idea, since there is no guarantee the hackers would keep to their word.