Two major Canadian banks, Bank of Montreal and Simplii Financial,
Even if the hackers were trustworthy and even if they were the only people who accessed the stolen data — both of which seem rather bold assumptions to make — it is not uncommon for stolen data to resurface years after an initial breach. In such cases, the regulator wouldn’t look too kindly on an attempt to cover up the breach, even less so if that involved a ransom payment.
According to CBC, Canada’s national broadcaster, which has seen some of the hacked data, the personal data included names, addresses, phone numbers, account numbers, birth dates and Social Insurance Numbers.
As Malwarebytes researcher Jérôme Segura, who analysed the attack,
There does not appear to have been any money stolen from either of the banks’ customers, or from the banks themselves. This is obviously a good thing, but it is easy to forget that personal data also has an actual value — especially on the black market — and that the theft of such data could have a serious impact on the affected bank’s image.
Of course, for banks in the U.K. or elsewhere in the EU, there is another reason why the theft of personal data would be a reason for serious concern: the recently enforced General Data Protection Regulation (GDPR).
Given the high fines regulators can issue under the GDPR, a financial institution may be tempted to keep quiet about the breach and decide to pay the ransom. This would be a very bad idea, since there is no guarantee the hackers would keep to their word.
