Hackers have demanded a $1 million ransom to be paid in Ripple (XRP) for stolen personal data of 90,000 Canadians.
They exploited the systems of two Canadian banks and threatened to release the user information unless their demands were met.
Hackers Exploit Bank Weaknesses
The hack was revealed on Monday by the multinational Bank of Montreal (BMO) and online bank Simplii Financial. Over the weekend, the banks were informed that personal information had been taken of a combined 90,000 different account holders.
The stolen information included names, account numbers, passwords, security questions and answers, social insurance numbers, and account balances. The thieves provided details of two account holders, which were confirmed, in order to back up their ransom demands.
The $1 million ransom (1.6 million XRP) was requested to be paid in XRP by 11:59 PM on Monday night. BMO said, according to CBC News, that their policy is to not make payments to fraudsters while Simplii said they are working with cybersecurity experts and law enforcement.
“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” said BMO spokesperson Paul Gammal.
The hackers sent an email to the banks explaining how they stole the data. They said that they used common mathematical algorithms designed to validate short sequences of numbers in order to work out account numbers, credit card numbers, and social insurance numbers.
We have a dedicated team that is working to make this right. We are also replacing affected clients’ bank cards and taking additional steps to monitor and protect our clients.
— Simplii Financial (@SimpliiFin) May 30, 2018
Using the account numbers, they pretended to be the account holders and followed instructions to reset the passwords. The hackers claimed that at this point, the bank was not checking if a password was valid until the security questions were input correctly. This allowed them to validate correct passwords, giving access to the site.
“Criminals will use Simplii and BMO client information to apply for products credit using social insurance number, date of birth and all other personnel info,” a letter to local media said.
Other Canadian banks have said that they were not affected, including Royal Bank of Canada, TD and Scotiabank who said that none of their customers have been affected.
Customers Concerns over Hack
One of the two victims who had their information released by the hackers told CBC News: “I’m very distressed. How could this happen? I barely slept last night, I’m so worried.”
Another bank user, Michael McCarthy, of Edmonton, said that a transfer for $980 had been made from his Simplii Financial account without his authorization. He said the bank had blocked the transaction, but not reversed it and was worried about his personal information being in someone else’s hands. He went on to say that he is getting a new bank card, but cannot access his money until it arrives in the post.
NewsBTC has previously expressed concerns over the amount of personal data that users are willing to provide to companies, including crypto exchanges. While know-your-customer (KYC) processes are important they also require users to provide photos of themselves and their passport or driving licence details. This hack highlights the value of personal data and the need for companies and exchanges to secure it in similar ways to how they store funds.
Featured image from Shutterstock.