Hackers Demand $1 Million in XRP Ransom for Bank Data Theft

Hackers recently stole information on thousands of Canadian bank users. They have demanded $1 million-worth of the cryptocurrency XRP for them not to release the data trove.

CBC News reported on Tuesday that the two banks hit by the breach, Bank of Montreal and CIBC’s online bank Simplii Financial, have said that the personal information of a total of 90,000 account holders had been taken, along with details such as names, account numbers, passwords.

The report says that the thieves claimed to also have security questions and answers, social insurance numbers and account balances.

An email sent by the hackers – reportedly from Russia – demanded a ransom of $1 million in XRP, a cryptocurrency developed by blockchain payments startup Ripple, saying they would release the data if it wasn’t paid before the close of May 28. It is not clear if the $1 million demand was expected to be paid in a U.S. or Canadian dollar equivalent.

The hackers provided information on one customer from each of the two banks as prove that they actually obtained customer data through the breaches.

According to explanations from the email, the hackers had used an algorithm to create account numbers, which were then used to pose as genuine account holders and get the related security questions reset by the banks. Security measures at the banks also came under fire, with the message: “They were giving too much permission to half-authenticated account which enabled us to grab all these information. … [The bank] was not checking if a password was valid until the security questions were input correctly.”

Bank of Montreal, after being contacted by CBC news to know whether any ransom had been paid, said: “Our practice is not to make payments to fraudsters.” Simplii did not give a direct answer to the question.