Class action lawsuits proposed in BMO, CIBC data breach

Jun 19, 2018 | News

Simplii Financial, a division of CIBC, is one of two Canadian banks facing a lawsuit after a data breach left around 90,000 people’s information public. (Reuters/Mark Blinch).

Matthew Frank

A proposed class action lawsuit has been filed against Bank of Montreal and CIBC’s Simplii Financial over disclosed cybersecurity breaches that have affected around 50,000 customers.

Law firms Siskinds LLP and JSS Barristers said they brought the suit against the two banks, alleging the institutions failed to establish security measures to protect its clients’ personal information.

Sajjad Nematollahi, a lawyer for Siskinds LLP, alleges the data breaches had far-reaching implications on clients’ personal lives and financial affairs, but the full extent is yet to be determined.

“The data breach concerns the banks and they have obligations to safeguard their clients’ information and review their systems and audit them on a constant basis,” Nematollahi said.

“As a result of the data breach, all the personal information of these individuals up to 90,000 was compromised,” he said. “That includes names, date of birth, account number, SIN number and more. What happened here is very shocking.”

When reached for comment by e-mail, a CIBC spokesperson issued a statement from the bank, which said, “Simplii is taking additional steps to monitor and protect our clients” and they “have a dedicated team working to make this right for our clients.”

BMO, who is facing a lawsuit, announced it’s offering free credit monitoring, and will block online and mobile access to the accounts of those affected, which the bank believes is fewer than 50,000 clients. (Reuters/Blinch).

BMO did not immediately respond to a request for comment.

The claims have not been tested in court.

Simplii and BMO warned in May that “fraudsters” may have accessed personal and financial information of some of its clientele basis, up to 40,000 clients and 50,000 clients, respectively.

Both institutions said they were contacted by someone demanding $1 million from the two banks by midnight in order to prevent the sale of data.

BMO and CIBC have since said they are offering free credit monitoring to affected clients and pledged to return any money lost from affected accounts due to fraud.

Ann Cavoukian, a former Ontario Information and Privacy Commissioner, said she was absolutely baffled by the promises the banks issued after it was revealed in May that “fraudsters” accessed customer data.

“They should not have been doing that at all,” said Cavoukian, who is also a distinguished expert-in-residence at Ryerson University. “It drove me crazy they said they will now implement additional security measures when they should have been doing it all along.“

In a series of tweets last month, Simplii said a dedicated team is working to “make this right” and those whose accounts have been locked out online can continue to use ATMs and receive cash back at point of sale terminals.

The banks’ promises might be a case of a “too little, too late scenario” now the exposures have showed real flaws in the system, Cavoukian said.

“I think this has been a real wake up call for everyone,” she said. “I think customers of BMO and CIBC are taking a second look and considering whether they should be changing.”

Implementing security measures also isn’t a one-time process.

“It’s not the kind of thing you can do once,” Cavoukian said. “It has to be a continuing process. It’s like a chess game, I always say. You constantly have to be upgrading your security measures because the other side is looking for ways to win.

“Why wouldn’t the banks be looking to identify the problems themselves?” she asked.

Cavoukian has warned missing funds are not the only risk for BMO and Simplii clients either, saying hackers might also have access “to your identity, social insurance numbers, your date of birth, name, address.

“There have been cases of identity theft that have arose from this. [As privacy commissioner] I dealt with people who have dealt with identify theft. It can be a nightmare,” she said.