Security deficiencies at BMO lead to large-scale breach

PIPEDA Findings #2021-003

March 30, 2021

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Description

The complainants in this matter contacted the OPC subsequent to the breach of their personal information held by the Bank of Montreal (BMO). Our investigation found that BMO’s online banking software had significant weaknesses in its technical safeguards, which allowed the attackers to orchestrate a large-scale breach of approximately 113,000 accounts.

Takeaways

Organizations must take care during testing and development of software and tools to identify and address vulnerabilities prior to implementation. Robust testing should generally combine both manual and automated tools.
Organizations must consistently apply technical vulnerability management protocols in order to identify and minimize risks.
Organizations should have “bot” management and protection tools and protocols in place to defend against this common attack.
Organizations must not only implement and maintain, but also properly configure system oversight and monitoring tools to detect and mitigate suspicious activity. This configuration should include alerts to inform security personnel of suspicious activity and the need to investigate.

Report of findings

Overview

The Office of the Privacy Commissioner of Canada (“OPC”) received complaints from two Bank of Montreal (“BMO”) customers, alleging that BMO had not adequately safeguarded their personal information. The complainants alleged that as the result of a breach of BMO’s systems, their personal information had been obtained by malicious actors and posted on various third-party websites.

BMO acknowledged that vulnerabilities in its online banking application, existing between June 2017 and January 2018, allowed attackers to breach its security safeguards, take over online banking accounts, and exfiltrate the personal information of 113,154 of its customers in two separate attacks. The first attack occurred during the period between June and November 2017, while the second occurred in late December that same year. BMO did not become aware that personal information had been taken by the attackers until it received a ransom email in May 2018, prompting it to conduct a comprehensive technical review of its systems. As a result of this review, BMO discovered that the first breach involved the compromise of 36,755 customers, and the second, 76,399.

During these attacks, unauthorized third parties obtained a wide range of personal information, which included, depending on the person, financial account numbers, social insurance number (“SIN”), name, occupation, date of birth (“DOB”), address and/ or credit/debit card numbers. This is sensitive information that could be used by malicious actors to perpetrate identity theft, and as such, the strength of the security safeguards implemented by BMO should have been commensurately high.

We determined that the attackers were able to access this information by exploiting key vulnerabilities and weaknesses in BMO’s online account system. Specifically, this allowed them to:

sign into one online banking account and then access another customer’s account by simply inputting another valid card number, which in turn allowed them to obtain that customer’s personal information from an unencrypted file accessible via one of the online account pages; and
do so on a grand scale, undetected, by using a computer program to cycle through random card numbers to access personal information of 113,154 accounts (a “bot” attack).

Our investigation found a number of deficiencies in BMO’s safeguards, which contributed to the breach. These included gaps in:

Developer security testing and evaluation – As a result of deficiencies in secure software development and testing, BMO developed and implemented an application with significant vulnerabilities, which attackers were ultimately able to exploit.
Vulnerability management – Due to gaps in its vulnerability testing, BMO failed to catch the online account access vulnerability for approximately six months after implementation. Even though BMO detected the breach in December 2017, it did not take measures to assess the resulting risk to customers’ personal information until 6 months later, when it received proof that personal information had been exfiltrated. When BMO finally turned its mind to this assessment, it was able to quickly ascertain the scope of the data breach. It was only at this point, 6 months after the breach was discovered, that BMO was then able to implement measures to mitigate risk to the 113,154 customers whose personal information had been compromised.
Oversight and monitoring – Even though bot attacks are common, BMO lacked a “bot management solution”. This could have allowed BMO to discover and halt the first attack, and to avoid the December 2017 breach altogether. Furthermore, there were important gaps in BMO’s intrusion detection protocols, which should have identified, for example, that over 113,000 accounts had been accessed via three IP addresses ^{Footnote 1}, or that a single IP address was accessing multiple online accounts during one authorized session.

We therefore concluded that BMO did not have appropriate safeguards commensurate to the sensitivity of information in question. BMO did, however, implement significant safeguards improvements to address the safeguard weaknesses we identified, such that we consider the matter to be well-founded and resolved.

Background and complaint

The Office of the Privacy Commissioner (“OPC”) received two separate complaints from individuals alleging that the Bank of Montreal (“BMO”) did not adequately safeguard their personal information on its online systems, and that as a result, unauthorized third parties gained access to their personal information - which included, depending upon the person, financial account numbers, social insurance number (“SIN”), name, occupation, date of birth (“DOB”), address and/ or credit/debit card numbers - and publicly disclosed the information of some customers on various websites.
As one of Canada’s largest federally regulated financial institutions, BMO provides a variety of banking and investment services to its customers, including online banking services, which allow its customers to make a variety of transactions and applications related to their financial accounts.
Between June 2017 and January 2018, a vulnerability in BMO’s in-house online banking application allowed unauthorized third parties to breach its security safeguards, take over individual online accounts and collect personal information associated with those accounts.
In total, BMO determined that 113,154 customers were affected by this breach and had their personal information compromised. The affected personal information varied, depending on type of account and what personal information was associated with it. It was determined by BMO that malicious actors behind a sustained cyberattack in December 2017 were responsible for two-thirds of the accounts being compromised, while the remainder were compromised in a separate undetected attack.
BMO refused to pay a ransom demand received in May 2018, and referred the letter to law enforcement. In response, an unauthorized third party proceeded to publicly post the personal information of 3,190 BMO customers on various public websites . While BMO acted quickly to request that the information be removed, it had already been accessed and disseminated by other third parties, including by a journalist who contacted one of the complainants. Shortly thereafter, BMO publicly announced the breach, and began notifying affected individuals.
In September 2020, two individuals suspected of being responsible for the cyberattack were charged by the RCMP for various offences under the Criminal Code of Canada. The final disposition of the matter remains outstanding.

Methodology

In addition to conducting open-source research, our Office analyzed a variety of representations and materials provided by BMO relating to the breach, as well as the bank’s protocols and safeguard technologies.
BMO engaged an independent company, specializing in IT security, to conduct a forensic analysis of the incident. BMO rejected the OPC’s requests to access reports generated by the third-party, claiming solicitor-client privilege. Without access to these important sources of information, our Office relied upon publicly available information and the information we were able to collect voluntarily from BMO.
BMO’s decision to withhold this document, on the basis of a claim of privilege, complicated and delayed our investigation, resulting in multiple rounds of questions and review of thousands of pages of technical documents and raw data.

Analysis

Details of the breach

Description of the affected system

BMO’s online banking platform is a public-facing web-based application designed to allow authorized BMO customers to complete a variety of banking tasks associated with their account, including but not limited to: checking account balances and transaction history, making transactions such as bill payments or electronic transfers, and applying for new financial products.
BMO stated that it developed the application internally using Java^{Footnote 2}, and that the application is hosted on its servers in Ontario.
In order to access the application, customers must authenticate on BMO’s website using their debit card number and a password that they have chosen. The web application is secured using industry standard TLS^{Footnote 3} encryption, a web application firewall^{Footnote 4}, and endpoint protection software^{Footnote 5}.

Description of the breach

In December 2017, an unauthorized third party launched a series of “bot”^{Footnote 6} attacks against BMO’s systems. The exact date that the attack began is unknown. In the early hours of December 22, 2017, BMO’s fraud team became aware of unusual activity related to a high volume of sign-in requests and fraudulent electronic money transfers. By evening of the same day, BMO had determined that a cyber-attack was in progress and mobilized a cross-functional team to respond.
BMO began mitigation measures in the morning of December 23, 2017 by blocking certain IP addresses linked to the attack. On December 24, 2017 BMO deployed a third-party security tool with additional capabilities for mitigating the attack. A second, smaller attack was attempted on December 25, 2017, but due to the mitigation strategies BMO had just implemented, it was unsuccessful at accessing any accounts.
Approximately 6,076 accounts were initially identified by BMO as being affected by the attack. On December 23, 2017, BMO notified these clients of the incident through automated messages or by phone, and proceeded to restrict their transactions and issue new debit cards. BMO advised the OPC of the breach on January 5, 2018.
During its initial investigation, BMO erroneously determined the “bot” attack to be a high volume brute-force attack^{Footnote 7} against customer account login credentials.
In late January 2018, BMO discovered various anomalies in the access patterns present in its logs, which suggested the presence of a “session corruption vulnerability” (the “vulnerability”). This vulnerability allowed a malicious user who had successfully signed into the online banking application, to access the accounts of other clients using only those clients’ debit or credit card numbers. BMO ultimately determined that this vulnerability had been present since at least June 2017. BMO patched this vulnerability on January 27, 2018.
The high-volume activity that BMO had interpreted as a brute-force attack against its login page had in actuality been the attacker’s use of bots to facilitate exploitation of the vulnerability, by rapidly inputting numeric strings until valid credit or debit card numbers were found.
BMO represented that in January 2018, it had still not identified the full impact or scope of the vulnerability. BMO treated the incident as a series of account takeovers that allowed the unauthorized third party to access and move money. It therefore focused its efforts on combating the related fraud involving unauthorized money transfers, and did not assess the risk to customers’ personal information. As a result, BMO remained unaware of the significant exfiltration of personal information that had occurred.
On May 27, 2018, BMO received an email from an individual they refer to as the “extortionist”. The extortionist’s email stated that unless BMO paid them one million dollars in the form of a cryptocurrency, the individual would release the personal information of 50,000 BMO clients. The extortionist provided details of the abovementioned vulnerability and an example of a BMO client’s personal information in raw format. Based on the information provided, BMO concluded that the extortionist had breached its systems.
BMO did not pay the ransom and referred the extortionist’s email to law enforcement. On May 28, 2018, the extortionist posted the personal information of a random selection of 3,190 BMO customers to various third-party websites. BMO contacted the websites and had the information removed on the same day, however the data had already been copied by a variety of unrelated third parties and could not be effectively suppressed.
It was only upon receiving the extortionist’s letter, that BMO began to consider the breach as a “significant cybersecurity incident”, and initiated a comprehensive review and analysis of its systems.
On May 28, 2018, BMO assessed the raw output of the extortionist’s examples, and through internal analysis and matching, identified the application from which the personal information had been obtained. BMO determined that as part of the attack in December 2017, the attacker accessed a component of the online banking application known as “Apply for Product”.
This application allowed customers to apply for various financial products after they had logged into their account. For convenience, BMO pre-populated various fields in the application based on the personal information associated to the account. As part of this process, an unencrypted file containing extensive customer personal information was stored in the online banking session cache^{Footnote 8}. BMO determined that it was this file that was used by the attacker to collect the personal information of its customers.
Through the analysis conducted in June 2018, BMO determined that 76,399 customers had been affected by the December 2017 breach. Further investigation determined that an earlier exploitation of this vulnerability had occurred at some point between June and November of 2017, when unknown attackers accessed the accounts and personal information of an additional 36,755 customers. This attack was not detected at the time, and BMO believes that the attackers may have been different from the person(s) responsible for the second, larger attack in December 2017.
BMO determined that the vulnerability exploited by the attackers had been successfully patched on January 27, 2017, though there had been a 24 hour period on February 4, 2018 when the vulnerability was re-opened, before being patched once again.
In June 2018 BMO hired a third-party cybersecurity company to conduct a full audit and investigation of its systems, and a second cybersecurity company to conduct further security testing to seek out any other potential vulnerabilities. On June 6, 2018 BMO applied a comprehensive patch that permanently repaired the vulnerability.
As described later in this report, in response to this incident, BMO made a variety of substantial changes to its policies, procedures and technical safeguards to improve its security posture and prevent future breaches.

Personal Information involved in the breach

BMO advised that its evaluation indicated that the personal information of 113,154 of its customers’ had been compromised over the time that the vulnerability was active (as detailed in paragraph 25 above). The types of personal information included: Name, Contact information (addresses, email, phone numbers), DOB, SIN, Security Questions and Answers, Account Passwords, Bank Account Numbers, Account Balances and Transaction history.
BMO separated the compromised personal information into two “tiers” based on its assessment of sensitivity. Tier 1 was defined by the breach of DOB and SIN in addition to other types of personal information (62,945 compromised customers), while Tier 2 was defined as the breach of any other combination of personal information, excluding SIN and DOB (50,209 compromised customers).

Issue: Whether BMO implemented appropriate safeguards to adequately protect personal information under its control.

Principle 4.7 of PIPEDA provides that personal information must be protected by security safeguards appropriate to the sensitivity of the information. As set out in Principle 4.7.1 of PIPEDA, the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
Principle 4.7.3 further provides that methods of protection should include: (a) physical measures, such as locked filing cabinets and restricted access to offices; (b) organizational measures, such as security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, such as the use of passwords and encryption.
In our view, for the reasons outlined below, BMO did not implement adequate safeguards to protect customers’ personal information.

Sensitivity of personal information

The compromised personal information was either Tier 1 or Tier 2, as described in paragraph 30. For each tier, the information could be considered sensitive when taken together, given that even Tier 2 included full financial details, including transaction history associated to individual accounts. Tier 1 information further included SIN and DOB, which are particularly sensitive, given their permanence and importance in establishing identity and functioning in Canadian society. Our Office notes that this information can be used by malicious actors to perpetrate identity theft. Therefore, in our view, the strength of the security safeguards implemented by BMO to protect this personal information should have been commensurately high.

Relevant Safeguards

In assessing the safeguards BMO had in place at the time of the attack, we focused on the following four areas:

Developer Security testing and Evaluation – to develop and implement secure software solutions;
Vulnerability Management – to identify, evaluate and remediate software vulnerabilities post deployment;
Oversight and Monitoring – to detect suspicious activity, and assess and mitigate cyberattacks; and
Organizational Policies and Procedures – to set out protocols and procedures for handling cyberattacks.

Developer Security Testing and Evaluation

It is our determination that the safeguard issue at the core of this breach is BMO’s development and deployment of a public-facing banking application with a critical vulnerability in place. The exploitation of this vulnerability allowed attackers to largely bypass other safeguards.
Secure application development and testing is a key element of implementing software solutions that adequately safeguard personal information. Our Office notes that BMO maintained what it referred to as an “application security end to end process lifecycle” in support of this.
This process was defined by BMO’s operational guidance and corporate directives regarding security activities and protocols for conducting a pre-implementation security review process. This process included determining security requirements, testing, validation and managing issues and risks.
Despite these procedures however, our office notes that BMO developed and deployed a web application with a critical, high-risk vulnerability. The vulnerability allowed malicious actors who had successfully authenticated into a single account to completely bypass authentication and security protocols, and access account information associated with any other account by simply entering another valid debit/credit card number. A further weakness allowed the attackers to cycle through random number strings to find valid card numbers and exploit the vulnerability on a grand scale.
The compromised banking application was developed internally by BMO. BMO therefore had full responsibility for the application’s security testing and evaluation. It is our view that BMO should have reasonably detected and addressed this vulnerability prior to its implementation in a live production environment.
We noted a number of deficiencies that contributed to this issue:
1. BMO provided our Office with a number of risk assessments conducted after the breach, which indicated that certain tools that would have been useful for the identification of pre-launch vulnerabilities in BMO’s code were unavailable. In particular, due to limitations in its security scanning and testing applications, BMO was incapable of conducting a number of key vulnerability scans. An internal post-breach risk assessment conducted by BMO found this to be an issue of significant severity and high risk. Our Office notes that this deficiency has since been addressed, and these scans are now conducted regularly.
2. At the time of the breach, BMO did not conduct penetration testing^{Footnote 9} as part of its application release process. As indicated in paragraph 78, BMO has since significantly expanded its testing regime, by implementing pre- release penetration testing and red team exercises.

Vulnerability Management

BMO did not detect the vulnerability in its system for at least seven months, allowing malicious actors to exploit it multiple times, and compromise the personal information of 113,154 customers over that period. In our view, there were gaps in BMO’s vulnerability assessment process, before and after it became aware of the breach, which contributed to this failure.
Software vulnerabilities present a significant risk to organizations, in that they may be exploited by malicious actors to circumvent safeguards. Organizations responsible for safeguarding personal information must have tools and protocols in place to assess their systems, and address vulnerabilities on an ongoing basis. Such systems must include mechanisms to: (i) correctly and expeditiously identify and assess vulnerabilities; (ii) implement appropriate remediation measures to address the vulnerabilities; and (iii) verify that the vulnerabilities have been fixed.
BMO advised our Office that at the time of the breach, it maintained a vulnerability assessment program^{Footnote 10}. The program, which BMO explained to our Office in detail, included daily external vulnerability assessments, weekly internal vulnerability assessments and database/workstation vulnerability assessments on a monthly basis.
Despite these steps, we note that at the time of the December 2017 cyberattack, the vulnerability had existed undetected by BMO since at least June 2017.

Penetration testing

Deficiencies in scanning tools and penetration testing identified in paragraph 41, which adversely affected the secure development process, also led to deficiencies in identifying the vulnerability in the “apply for product” page, post-deployment.
Penetration testing is a critical aspect of maintaining safeguards and ensuring that issues are detected and addressed. BMO contracted with a third-party security company to conduct annual internal and external penetration testing against their online banking platform. However, in our review of BMO’s representations, we noted that the service contracted by BMO was for fairly general and high-level testing of common attacks, relying primarily on automated scans, with minimal manual testing or use of exploit tools. Given the level of sensitivity of the personal information in BMO’s control, greater testing protocols, including advanced manual exploit testing and tools were warranted. We note that BMO has since adopted such protocols as explained in paragraphs 78 and 79.

Post-breach vulnerability assessment

Furthermore, and of additional concern, even though the vulnerability was identified, assessed and patched by BMO in late January 2018, BMO did not determine that personal information may have been exfiltrated until May 2018, after the ransom note was received.
This was due to BMO’s focus on the fraud element of the breach, and its resulting failure to conduct a full assessment of the vulnerability, as explained in paragraph 19. It is our view that as part of its post-breach analysis process in December 2017, BMO should reasonably have determined the high likelihood of personal information being compromised. Specifically, if BMO had queried its online account activity logs (as detailed below, in paragraph 57) for the compromised accounts, it should have been apparent that the attacker had repeatedly accessed the “Apply for Product” page under many accounts. In turn, a review of that page’s source code should have resulted in the discovery of the cached file containing sensitive personal information.
If BMO had undertaken a more comprehensive assessment, and discovered this risk, in December 2017, it could have initiated mitigation measures to protect individuals from identity theft several months before receiving the extortionist’s letter.
In our view, deficiencies in the assessment process contributed to BMO’s failure to identify and properly assess the nature and scope of the information-security vulnerability for a protracted period, and increased the risk posed to individuals from the breach of their personal information.
We do note, however, that upon identifying the vulnerability in May/June 2018, BMO did effectively implement an existing protocol for remediation of detected vulnerabilities and verification of associated measures implemented to mitigate identified risks. This included reproducing the vulnerability in a development environment, applying a patch, peer-reviewing the code and running security scans. The patch would subsequently be tested in a quality assurance environment and be subject to functional and regression testing before release.
We also note that the above deficiencies have since been addressed by the improvements to testing protocols described in paragraphs 78 and 79, as well as the improvements referenced in paragraph 82.

Oversight and Monitoring

Our Office identified a number of significant gaps in BMO’s safeguards related to oversight and monitoring. Weaknesses in its ability to detect suspicious activity, detect and block ‘bots’, and a lack of real-time alerts all contributed to the scope of the breach.
Oversight and monitoring are critical elements to any personal information protection regime. They allow organizations to detect suspicious internal and external activity and ensure compliance with directives and policies. We examined BMO’s technical oversight and monitoring capabilities related to external cybersecurity threats to its online banking platform.
While we will not go through all of the oversight and monitoring tools and protocols that BMO had in place, given many are not relevant to this particular breach, we will note that BMO did have a variety of industry standard systems and procedures in place.

Logging

BMO’s information security policies establish the need to log and monitor, by default, its user and system activities, exceptions and security events in order to ensure security. BMO set out a significant and useful level of detail for its logs, and also maintained a significant retention period for its logs.
Log review at BMO was conducted both manually and automatically using various tools. A team referred to as the Cyber Security Operations Centre (CSOC) is responsible for reviewing and investigating logs for malicious activities when alerted by BMO’s tools or other departments.
As detailed in paragraph 49, it is unfortunate that BMO did not initially leverage these logs to identify risk to customers’ personal information, upon learning of the December 2017 breach.

Bot management

While BMO maintained a number of technical “perimeter defences” around its web applications, such as a web application firewall, it did not have any type of bot management solution in place, and therefore lacked the ability to effectively detect and halt bot attacks, such as the one in this case.
BMO only became aware of the December 2017 bot attack after its fraud team noted suspicious transactional activity in the form of a high volume of sign-in requests and fraudulent money transfers, as indicated in paragraph 13. In this case, the CSOC, and its associated tools, did not detect the breach. Rather, the incident was referred to the CSOC by the BMO fraud team after a combination of fraudulent financial transactions and high login volume raised concerns. In its representations, BMO indicated that its primary focus was on the fraudulent transfers.
BMO indicated that this suspicious activity occurred over multiple days before the attack was identified via manual review. Furthermore, the fraudulent financial activity was independent of the exfiltration of data. Had the attacker been focused on acquiring data, without also attempting electronic money transfers, BMO may not have detected the attack at all.
Once it became aware of the attack, BMO responded by manually blocking specific IPs, an inefficient means of mitigating a botting attack, particularly due to the fact that BMO had only flagged IPs associated with fraudulent money transfers. It was only subsequent to the implementation of a third-party bot management solution from a security vendor on December 24, 2017, that BMO effectively halted the botting attack.
Given the ubiquity of bot-facilitated attacks against technical systems, it is our view that BMO should reasonably have had such a safeguard in place prior to the breach. Had this tool been implemented previously, the botting attack would likely have been unsuccessful, and the approximately 76 thousand accounts would likely not have been compromised.

Cyberattack detection and alerts

BMO did have detective security monitoring in place, including a third-party Security Information and Event Management (SIEM) product^{Footnote 11}. BMO built a library of detection “use cases”^{Footnote 12} to flag attack patterns and suspicious activity found within the logs.
Despite this, BMO’s SIEM configuration lacked common and reasonable rules for flagging certain suspicious activity. In the matter at hand, the attacker responsible for the botting attack in December 2017 used just three IPs to access approximately 76,000 accounts. Simple use cases instructing the system to flag an IP that repeated fails to access accounts, or a single IP address being used across multiple sessions, would have detected the attack immediately.
Unfortunately, such basic use cases were not in place, despite being useful for detecting routine attack vectors.^{Footnote 13} As noted in paragraph 79, BMO has since significantly expanded its detection use cases - this includes the addition of the two aforementioned basic rules.
Critically, BMO advised that its system was also “unable to distinguish between access using valid credentials and access that resulted from a session corruption vulnerability”. As a result, BMO was unable to detect changes to the session or the data exfiltration, and account breaches were logged as legitimate activity. This contributed to BMO’s inability to detect the data exfiltrations, and subsequently determine when they occurred.
Finally, we note that even if BMO had had these additional detection tools in place at the time of the breach, it also lacked automated fraud alerts to notify the bank of potential attacks identified via those detection tools. Without effective alerts to flag suspicious activity to the proper resources, even the most sophisticated detection technologies are of little value. Such alerts are necessary to quickly respond to cyberattacks. As referenced in paragraph 80, BMO has since added real-time fraud alerts.
It is our view that had the abovementioned detection measures and alerts been in place, they may have allowed BMO to detect, identify and halt the earlier attack, where attackers accessed approximately 36,000 accounts between June and November 2017. These tools could have alerted BMO to the suspicious activity and triggered a security audit like that which BMO undertook in May/June 2018, after it was made aware of the exfiltration by the extortionist. This could have allowed BMO to detect and patch the vulnerability before the December 2017 attack, and avoid the breach of a further 76,000 accounts.

Organizational Policies and Procedures

BMO had a wide variety of directives, policies and procedures in place for the protection of personal information, as we would expect from a major financial institution. Our investigation determined that in general, BMO’s organizational policies and procedures for safeguarding information were meaningful. That said, we note certain areas that would benefit from improvement. For example, we determined that certain procedures were too high-level, and full protocols did not exist for certain important scenarios.
In particular, at the time of the breach, BMO did not have a specific operating procedure or protocol in place to identify, assess and mitigate botting attacks despite such attacks being common and routine. We do note that after the breach, BMO created a protocol and operating procedure for such attacks, and initiated a project to review and update all of its incident response documentation.
The second shortfall we noted was that responsibilities for security were spread out across various teams, with a lack of proper integration and communication procedures for active cyberattacks. This led to delays in BMO’s response, as various teams needed to communicate, be organized and activated to respond to this breach. We note that after the botting attack had been detected, it took BMO nearly a full day to organize a multi-team response and effectively halt the attack. While this delay may not be viewed as unreasonable, we note that BMO appeared to have had the capability to respond more quickly, had proper procedures been in place. Where this incident highlighted minor shortcomings in BMO’s security protocols and procedures, BMO recognized them and has since made significant improvements, as described in paragraphs 81-84.

Assessment of BMO’s Safeguards before and after the Breach

In our view, the specific weaknesses described above, individually and collectively, constitute a failure to implement security safeguards appropriate to the volume and sensitivity of the personal information held by BMO, in contravention of Principle 4.7 of the Act.

Actions taken by BMO since the Breach

BMO has made a variety of significant improvements to its security posture since the breach, based on multiple internal and external assessments of the shortcomings in its technical safeguards and security procedures, to resolve the safeguard deficiencies we identified in this report.
In particular, we note that subsequent to receiving the ransom note, BMO hired a third-party security company to conduct a forensic security investigation of its systems. While BMO declined to provide us with any details regarding this investigation or the forensic report, citing solicitor-client privilege, we note that this was a positive step in principle.

Technical Safeguard Improvements

BMO deployed a third-party bot management tool to its online perimeter as well as a third-party application security and fraud prevention solution, in dual layers. These tools protect against brute force and credential stuffing^{Footnote 14} attacks. The bot management tool was successfully deployed on December 24, 2017, while the cyberattack was taking place, and effectively halted the attack. If properly configured and maintained, these tools help serve as an effective safeguard against various cyberattacks, including an automated “bot” attack of the sort BMO suffered.
Significant improvements were made to BMO’s security testing regime. BMO replaced its previous third-party penetration testing service provider after the breach. BMO’s contract with the new vendor includes enhancements to application penetration testing, including more thorough testing and release testing^{Footnote 15}, in addition to annual tests. BMO also established enhanced extended (multi-month) “red team”^{Footnote 16} campaigns to regularly test its security and supplement its penetration tests. BMO improved deficiencies in its vulnerability management protocols by implementing new scans and more robust testing protocols before code is made live on its production systems.
BMO significantly expanded its security monitoring use cases, and built a data repository with centralized code from all of its internet and mobile applications, allowing streamlined security analysis. It also created a common playbook, or set of instructions, for information security and fraud teams to improve alerting processes.

Policy and protocol improvements

BMO implemented a new real-time fraud alerts system and near real-time transactional data feed to improve its ability to detect and quickly respond to attacks. Policy and Protocol Improvements
BMO significantly expanded the number of human resources on its fraud and cybersecurity teams. Additionally, it created a new Financial Crimes Unit to streamline its cybersecurity, threat analytics, monitoring, reporting, anti-fraud, investigations and crisis management functions into a single responsibility centre. This is an improvement to their previous structure where such responsibilities were spread out across different groups and teams, leading to communication delays and conflicts in responsibilities.
Subsequent to the breach, BMO developed a number of new procedures and directives and significantly expanded existing ones, including most significantly, an event flow and protocol for botting attacks, vulnerability and software development security standards and standards for incident management. These new organizational policies and procedures add critical detail, set out meaningful requirements and refine and streamline security related workflows and incident response.
BMO launched a program to enhance authentication mechanisms for online banking applications overall.
Our Office has assessed the significant improvements that BMO made to its security protocols, systems, testing and operations after the breach and has determined that they address the deficiencies we identified.

Conclusion

In view of the above, we find this matter to be well-founded and resolved.

Footnotes

Footnote 1

An Internet Protocol address is a numerical label assigned to a device when it connects to a network. The IP address identifies the device and routes its network traffic.

Return to footnote 1

Footnote 2

A programming language used in the development of software applications.

Return to footnote 2

Footnote 3

Transport Layer Security, a cryptographic protocol to secure internet communications via encryption.

Return to footnote 3

Footnote 4

A security application that monitors, logs, analyses and blocks HTTP (Hypertext Transfer Protocol) traffic to and from a web application. It can protect web applications from a variety of internal and external attacks.

Return to footnote 4

Footnote 5

Security software deployed to manage user access and authentication.

Return to footnote 5

Footnote 6

Automated software applications used to execute repetitive tasks. The purposes of such tools can range from legitimate to illegal.

Return to footnote 6

Footnote 7

A common attack in which an automated tool makes repeated login attempts using commonly used passwords and alphanumeric strings to attempt to “guess” the account password and gain access.

Return to footnote 7

Footnote 8

Data stored on the user’s machine when accessing a website. Used to speed up browsing and enable various functions.

Return to footnote 8

Footnote 9

Authorized testing in which security professionals attempt, over a short period (e.g., 2-3 days), various attack vectors to compromise system security in order to identify vulnerabilities in an organization’s security architecture.

Return to footnote 9

Footnote 10

BMO’s program included (i) a variety of policies and procedures; (ii) scanning and testing tools; and (iii) directives for managing and remediating identified vulnerabilities.

Return to footnote 10

Footnote 11

A SIEM system is a technical tool used to correlate and aggregate information from various logs, analyse the information within them, and provide alerts regarding potential threats.

Return to footnote 11

Footnote 12

Instructions setting out scenarios that the SIEM software should flag as suspicious.

Return to footnote 12

Footnote 13

While more sophisticated botting attacks can involve attackers cycling through multiple IPs or using various tools to obfuscate the source of the attack - making it a challenge to detect and defend against them - in the cyberattack at hand, these techniques were not used.

Return to footnote 13

Footnote 14

A form of cyberattack where a malicious actor uses automated tools to rapidly cycle through various previously breached credentials to access accounts.

Return to footnote 14

Footnote 15

Release testing involves the thorough assessment and testing of code prior to its launch on a production environment. This practice serves to find weaknesses and vulnerabilities before the application goes live.

Return to footnote 15

Footnote 16

In the context of cybersecurity, a “red team campaign” is an authorized activity in which security professionals will emulate real-life attackers in an attempt to stealthily breach an organization’s system with a specific objective in mind (Ex: obtaining specific data). In contrast to penetration testing, red teams are focused on defeating the organization’s security capabilities and personnel and accomplishing their objective the way a true attacker would, rather than generally testing architecture. Red team campaigns generally run much longer than penetration tests.

Return to footnote 16

Date modified:: 2021-12-09

Language selection

Search and menus

Search