Hackers have threatened to release personal information for nearly 100,000 customers of two Canadian banks unless the lenders paid a $1-million US ransom for its safe return.

On Monday, Bank of Montreal and online bank Simplii Financial — owned by CIBC — revealed that they learned over the weekend that the identifying personal information of a combined 90,000 different account holders at the two banks was stolen.

The thieves said they accessed information such as names, account numbers, passwords, security questions and answers, and even social insurance numbers and account balances, by exploiting weaknesses in the two banks security systems.

“We warned BMO and Simplii that we would share their customers informations if they don’t cooperate,” a Russian-based email purportedly from the thieves said Monday evening.

The email demanded a ransom of $1 million in a cryptocurrency known as Ripple be paid for the return of the data by last night, otherwise the information would be released.

“These … profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don’t get the payment before May 28 2018 11:59PM,” the email said.

That deadline has now passed.

CBC News reached out to both banks for confirmation as to whether any ransom had been paid. 

“Our practice is not to make payments to fraudsters,” Bank of Montreal said. “We are focused on protecting and helping our customers.”

For Simplii’s part, the bank said “we are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients’ data and interests.”

To back up the veracity of their claims, the thieves shared identifying information about two Canadians — each a customer of each respective bank.

‘Very distressed’

CBC News has contacted those two individuals, and both have confirmed the veracity of the information the thieves sent out.

“I’m very distressed,” one victim told CBC News when told their information had been stolen. “How could this happen? I barely slept last night, I’m so worried.”

CBC News has also reached out to the email account purportedly from the hackers, and at publication time, that request has yet to receive a reply.

Some of the data appears to be circulating already on various online forums, although it is frequently taken down soon after posting. CBC News has not been able to confirm the veracity of any of that data — with the exception of the two individuals singled out in the email.

Read More