New details about the data breach at the Bank of Montreal have emerged.

CTV News reported Wednesday it discovered an online document that included 100 BMO client names, along with crucial data including those customers’ social insurance numbers, dates of birth, and bank account information.

Those details, according to CTV News, were included in a dataset posted to an online forum called Postbin on May 28, and was accessible for about five hours, between 2 p.m. and 7 p.m. ET before it was removed.

“The game-changer is the social insurance number,” CTV Chief Financial Commentator Pattie Lovett-Reid said in an interview on BNN Bloomberg Thursday. “Because when your social insurance number is compromised, that’s where a virtual profile of yourself could be showing up anywhere.”  

“I do think it is being downplayed,” she added. “I don’t think we can understate the importance of the banks, and security, and your money, and your personal data.”  

The bank has been trying to save face since Monday, when news of the apparent data breach surfaced. BMO, along with CIBC’s Simplii Financial, reported customers’ personal data may have been compromised by “fraudsters”.

Both banks have been in damage control mode on Twitter, and BMO appeared to exasperate one client in particular, who criticized the bank for inserting a smiley emoji in a response to a query about data security.

“Technically, BMO seems ‘correct’ in what they are communicating, but emotionally there is inadequate connection with their customers in carefully-parsed media statements that appear designed to minimize legal risk and satisfy the bank’s notoriously strict compliance policies,” Bob Pickard, principal of Signal Leadership Communication, told BNN Bloomberg in an email.  

“BMO is at least trying to handle queries on social — I give them credit for that — but the threads don’t show fluid and effective communication from them thus far and a consumer-facing financial services organization should be able to do better than the cautious and awkward lines being parsed out.”  

Pickard added the lack of communication from the company’s executives on the matter makes it look like the bank is “scrambling” and that the “corporate lawyers and not the corporate communicators are the ones calling the PR shots.”

On Wednesday, two days after announcing data may have been stolen from approximately 40,000 customers, Simplii aimed to reassure customers by saying several steps are being taken with a “dedicated team that is working to make this right.”

Simplii also reiterated its promise to compensate customers if they lose money as a result of the attack.