'Game-changer': BMO data breach reportedly included SIN data

Nicole Gibillini, BNN Bloomberg

A Bank of Montreal sign is shown in the financial district in Toronto on Tuesday, August 22, 2017. BMO is warning that "fraudsters" from outside of the country may have accessed certain personal and financial information of some of its customers. The bank says that fraudsters contacted BMO on Sunday claiming to be in possession of certain data for a "limited number of customers" and it believes the attack was originated outside of Canada. , THE CANADIAN PRESS/Nathan Denette

New details about the data breach at the Bank of Montreal have emerged.

CTV News reported Wednesday it discovered an online document that included 100 BMO client names, along with crucial data including those customers’ social insurance numbers, dates of birth, and bank account information.

Those details, according to CTV News, were included in a dataset posted to an online forum called Postbin on May 28, and was accessible for about five hours, between 2 p.m. and 7 p.m. ET before it was removed.

“The game-changer is the social insurance number,” CTV Chief Financial Commentator Pattie Lovett-Reid said in an interview on BNN Bloomberg Thursday. “Because when your social insurance number is compromised, that’s where a virtual profile of yourself could be showing up anywhere.”

“I do think it is being downplayed,” she added. “I don’t think we can understate the importance of the banks, and security, and your money, and your personal data.”

The bank has been trying to save face since Monday, when news of the apparent data breach surfaced. BMO, along with CIBC’s Simplii Financial, reported customers’ personal data may have been compromised by “fraudsters”.

Both banks have been in damage control mode on Twitter, and BMO appeared to exasperate one client in particular, who criticized the bank for inserting a smiley emoji in a response to a query about data security.

We just wanted your phone number in a private message, Steven. We apologize for any misunderstanding 😊. ^MA
— BMO (@BMO) May 30, 2018

Smilie faces aside, let me be clear. The fail is that #BMO has screwed up -- why did I learn of the #databreach via the news media and to this point have still NOT heard anything from the bank as to how I might reasonably respond to any risk, let alone know the risk exists.
— Steven Heipel (@steven_heipel) May 30, 2018

“Technically, BMO seems ‘correct’ in what they are communicating, but emotionally there is inadequate connection with their customers in carefully-parsed media statements that appear designed to minimize legal risk and satisfy the bank’s notoriously strict compliance policies,” Bob Pickard, principal of Signal Leadership Communication, told BNN Bloomberg in an email.

“BMO is at least trying to handle queries on social — I give them credit for that — but the threads don’t show fluid and effective communication from them thus far and a consumer-facing financial services organization should be able to do better than the cautious and awkward lines being parsed out.”

Pickard added the lack of communication from the company’s executives on the matter makes it look like the bank is “scrambling” and that the “corporate lawyers and not the corporate communicators are the ones calling the PR shots.”

On Wednesday, two days after announcing data may have been stolen from approximately 40,000 customers, Simplii aimed to reassure customers by saying several steps are being taken with a “dedicated team that is working to make this right.”

Simplii also reiterated its promise to compensate customers if they lose money as a result of the attack.