Another Canadian bank’s U.S. division has apparently been sideswiped by the MOVEit file transfer server vulnerability.
CIBC National Trust of Chicago, part of the Toronto-based Canadian Imperial Bank of Commerce, is telling customers of its Private Wealth Management service that some of their personal information was copied when one of its third-party providers, Pension Benefit Information (PBI), was hit by a cyber attack in May.
The copy of the letter filed with the attorney general’s office of Massachusetts under its data breach notification law doesn’t say how PBI was compromised. However, in its letter to the Massachusetts AG’s office, PBI says its MOVEit server was hacked between May 29th and 30th, and a number of organizations have come forward since to say data PBI was processing for them was stolen at that time.
According to researchers at Emsisoft, since the end of May at least 41 organizations have admitted that the hack of PBI’s MOVEit server resulted in loss of data they sent to the company.
PBI checks government and other databases on behalf of insurance firms, pension funds, and other organizations for information such as deaths to ensure corporate benefits are properly paid.
The copy of CIBC’s Massachusetts letter blanks out what kind of information about CBIC Private Wealth Management customers was stolen. Nor does it say how many people are being notified.
Asked for comment, CIBC’s Toronto headquarters said a “small number” of people were affected. “We have conducted a thorough review of the issue which affected a third-party vendor and are reaching out as appropriate to provide support to a small number of clients in response,” Tom Wallis, the bank’s senior director of public affairs, said in an email. “CIBC systems were unaffected by the incident.”
MOVEit, made by Progress Software Corp., is used for the secure transfer of large files.
Earlier this month, the Bank of Nova Scotia’s Scotia Wealth Management division in the U.S. began notifying American customers whose data was compromised when the MOVEit server of consulting company Ernst and Young LLP (EY) was hacked. Scotiabank hasn’t said how many customers were affected.
The Clop/Cl0p ransomware gang, which apparently discovered the zero-day vulnerability, has taken credit for around 250 of the hacks of an estimated 963 victim organizations.
Not all were hit individually. In the case of PBI, for example, one service provider was the source of data stolen from dozens of corporate customers. In turn, each customer could have hundreds or more customers.
EY, Deloitte and PwC were hit once but, like PBI, yielded several victim firms.
UPDATE: More U.S. financial institutions are admitting their customers were sideswiped by suppliers who had vulnerable MOVEit servers. In data breach notification filings with the Maine attorney general’s office, BankGloucester of Massachusetts said it is notifying just over 19,000 people, and Mauch Chunk Trust Company of California said it is notifying almost 30,000. Both had sent data to Darling Consulting Group, which advises financial institutions on risk management and uses MOVEit for file transfers.
In addition, Oak Ridge Associated Universities (ORAU) of Tennessee notified Maine that it is sending letters to just over 33,000 people involved in a Department of Energy supplemental screening program. ORAU uses MOVEit to transfer data.
(Readers should note that many U.S. data breaches wouldn’t be known to the public without the disclosure laws of several states, including Maine, Massachusetts and California. They have laws that require organizations that send data breach notification letters to residents of their states to also file a copy of the letter with their attorney general’s office. These states post online a copy of the letter (not including a recipient’s name). For reporters and security researchers trying to tally data breaches, the Maine attorney general’s site is especially informative because organizations not only have to file the number of letters that go to residents in the state, but also the total number of letters sent to American residents. In Canada some federal and provincial laws oblige firms suffering data breaches to notify a privacy commissioner, but there is no obligation for a public listing of victim companies.)