Get exclusive analysis and cryptocurrency insights on Hacked.com for just $39 per month.
Hackers who stole the personal information of tens of thousands of customers from two Canadian banks are threatening to publish that data online unless the banks pay them $1 million in XRP.
Regional media outlet CBC News reports that the Bank of Montreal (BMO) and Simplii Financial were successfully breached over the weekend, allowing the hackers to access sensitive personal and financial information belonging to more than 90,000 customers. Stolen information included names, passwords, account numbers, security questions and answers, account balances, and social insurance numbers.
According to emails allegedly sent by the perpetrators, the hackers are holding that data for ransom and will dump it online unless the banks send them $1 million worth of Ripple’s XRP token, which is currently the fourth-largest cryptocurrency by market cap.
“We warned BMO and Simplii that we would share their customers informations if they don’t cooperate,” said the email, which appears to have been sent from Russia. “These … profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don’t get the payment before May 28 2018 11:59PM.”
The hackers explained that they were able to breach the banks’ sub-par security by using an algorithm to generate account numbers and then posing as customers who had forgotten their passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said, adding that the system “was not checking if a password was valid until the security question were input correctly.”
The attackers also included an example customer data set from each bank to prove that they had circumvented the institutions’ security protocols.
The deadline to submit to the ransom demand has now passed, but it is not clear if the fraudsters have carried out their threat to release the customer data on the web. In any case, it does not appear that the institutions intend to pay the ransom.
“Our practice is not to make payments to fraudsters,” the Bank of Montreal told the publication in a statement. “We are focused on protecting and helping our customers.”