U.S. division of CIBC apparently sideswiped by MOVEit hack

Share post:

Another Canadian bank’s U.S. division has apparently been sideswiped by the MOVEit file transfer server vulnerability.

CIBC National Trust of Chicago, part of the Toronto-based Canadian Imperial Bank of Commerce, is telling customers of its Private Wealth Management service that some of their personal information was copied when one of its third-party providers, Pension Benefit Information (PBI), was hit by a cyber attack in May.

The copy of the letter filed with the attorney general’s office of Massachusetts under its data breach notification law doesn’t say how PBI was compromised. However, in its letter to the Massachusetts AG’s office, PBI says its MOVEit server was hacked between May 29th and 30th, and a number of organizations have come forward since to say data PBI was processing for them was stolen at that time.

According to researchers at Emsisoft, since the end of May at least 41 organizations have admitted that the hack of PBI’s MOVEit server resulted in loss of data they sent to the company.

PBI checks government and other databases on behalf of insurance firms, pension funds, and other organizations for information such as deaths to ensure corporate benefits are properly paid.

The copy of CIBC’s Massachusetts letter blanks out what kind of information about CBIC Private Wealth Management customers was stolen. Nor does it say how many people are being notified.

Asked for comment, CIBC’s Toronto headquarters said a “small number” of people were affected. “We have conducted a thorough review of the issue which affected a third-party vendor and are reaching out as appropriate to provide support to a small number of clients in response,” Tom Wallis, the bank’s senior director of public affairs, said in an email. “CIBC systems were unaffected by the incident.”

MOVEit, made by Progress Software Corp., is used for the secure transfer of large files.

Earlier this month, the Bank of Nova Scotia’s Scotia Wealth Management division in the U.S.  began notifying American customers whose data was compromised when the MOVEit server of consulting company Ernst and Young LLP (EY) was hacked. Scotiabank hasn’t said how many customers were affected.

The Clop/Cl0p ransomware gang, which apparently discovered the zero-day vulnerability, has taken credit for around 250 of the hacks of an estimated 963 victim organizations.

Not all were hit individually. In the case of PBI, for example, one service provider was the source of data stolen from dozens of corporate customers. In turn, each customer could have hundreds or more customers.

EY, Deloitte and PwC were hit once but, like PBI, yielded several victim firms.

The post U.S. division of CIBC apparently sideswiped by MOVEit hack first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

CrowdStrike update causes global IT outages, fix is available

Some airlines, banks and government services around the world have been affected by a faulty software update for...

Charges dismissed in SolarWinds hacking case

A judge has dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against SolarWinds related to...

Canadian is among foreign nationals pleading guilty to involvement with Lockbit ransomware

Two foreign nationals have pleaded guilty in the US District of New Jersey to their involvement in the...

FBI rapidly hacks into Trump shooter’s phone, raises privacy concerns

Just two days after the attempted assassination at a Trump rally, the FBI announced it had gained access...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways