U.S. division of CIBC apparently sideswiped by MOVEit hack

Another Canadian bank’s U.S. division has apparently been sideswiped by the MOVEit file transfer server vulnerability.

CIBC National Trust of Chicago, part of the Toronto-based Canadian Imperial Bank of Commerce, is telling customers of its Private Wealth Management service that some of their personal information was copied when one of its third-party providers, Pension Benefit Information (PBI), was hit by a cyber attack in May.

The copy of the letter filed with the attorney general’s office of Massachusetts under its data breach notification law doesn’t say how PBI was compromised. However, in its letter to the Massachusetts AG’s office, PBI says its MOVEit server was hacked between May 29th and 30th, and a number of organizations have come forward since to say data PBI was processing for them was stolen at that time.

According to researchers at Emsisoft, since the end of May at least 41 organizations have admitted that the hack of PBI’s MOVEit server resulted in loss of data they sent to the company.

PBI checks government and other databases on behalf of insurance firms, pension funds, and other organizations for information such as deaths to ensure corporate benefits are properly paid.

The copy of CIBC’s Massachusetts letter blanks out what kind of information about CBIC Private Wealth Management customers was stolen. Nor does it say how many people are being notified.

Asked for comment, CIBC’s Toronto headquarters said a “small number” of people were affected. “We have conducted a thorough review of the issue which affected a third-party vendor and are reaching out as appropriate to provide support to a small number of clients in response,” Tom Wallis, the bank’s senior director of public affairs, said in an email. “CIBC systems were unaffected by the incident.”

MOVEit, made by Progress Software Corp., is used for the secure transfer of large files.

Earlier this month, the Bank of Nova Scotia’s Scotia Wealth Management division in the U.S.  began notifying American customers whose data was compromised when the MOVEit server of consulting company Ernst and Young LLP (EY) was hacked. Scotiabank hasn’t said how many customers were affected.

The Clop/Cl0p ransomware gang, which apparently discovered the zero-day vulnerability, has taken credit for around 250 of the hacks of an estimated 963 victim organizations.

Not all were hit individually. In the case of PBI, for example, one service provider was the source of data stolen from dozens of corporate customers. In turn, each customer could have hundreds or more customers.

EY, Deloitte and PwC were hit once but, like PBI, yielded several victim firms.