Monday, May 28, 2018

BMO and CIBC drops the ball and is found bent over trying to pick it up.

I know eh!  Catchy title!

So get this, they have a security breach and they figure it is a great idea to pump out a press release immediately (according to their own statements).

Now who would do that ......  who would advise the media hours after a breach is discovered.

CBC news article: 

BMO Press release:

CIBC - Simplii Press release:

The answer is simple.  Someone who has awesome security, and awesome security folks, and awesome security tools (that they seemingly had forgotten to turn on it seems) !

The last part is sarcasm.  

So lets break down the press release into three main parts

1) They found out about the breach when the bad guys (apparently from another country) called them on Sunday and let them know.

2) They immediately stepped up security (added "enhanced security" .... their term)

3) They are now confident that everything is 100% cool....

Wow..... all within a few hours.

They should shut down the bank and start a security company.  

It is like they didn't have anybody re-read this press release that had both hemisphere working.

Whats wrong with #1
If the bad guys actually called them up on a Sunday (which by itself is a miracle since I couldn't dream of reaching someone at a banks head office on a Sunday), then doesn't this mean it is a hostage situation... they must have called up to ask for something.... where is the beef!

Whats wrong with #2
It implies that they had a lot of security systems turned off at the time of the attack (or had no one tasked at looking at the security systems) since they instantly activated "enhanced security mode" within a few hours of being told of the breach.  Why wouldn't this "enhanced security mode" be on all the time?

Anyone who works in security knows that adding "enhanced security" takes months and sometimes years, yet they pulled it off in a few hours.  Simply amazing!

Whats wrong with #3
I keep telling senior managers and students the same thing..... if any idiot tells you that something is 100% secure or 100% certain.... back away slow, they are dangerously incompetent.

Nice job in the press release / damage control department!  I now have yet another example to use in my teachings with regards to the value of keeping your big mouth shut until you have something of value to throw out there.

In the meantime, no one knows what was exposed and what they should do about it.

Once again... nice job... and no.... not cool.

I was interviewed by CBC (in French) and had a hard time holding back the sarcasm.


So to summarize, either they had a lot of security turned off with no one watching and now they are looking, or they added a lot of security overnight.. I mean...or they lied.

So to summarize further, they are either incompetent or liars.

Great start to the week !


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...