PIPEDA Findings #2021-003: Security deficiencies at BMO lead to large-scale breach
This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.
- Adequacy of BMO's technical safeguards to protect personal information.
- Effectiveness of BMO's developer security testing and evaluation processes.
- Sufficiency of BMO's vulnerability management protocols.
- Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.
Complaint well-founded, but resolved through corrective actions.
The OPC found that BMO contravened PIPEDA by failing to implement appropriate safeguards commensurate with the sensitivity of the personal information held. However, the finding was resolved because BMO made significant improvements to its security practices and technical safeguards following the breach.
AI-generated summary for reference only. Always verify against the official decision ↗
BMO was required to implement significant improvements to its security protocols, systems, testing, and operations to address the identified deficiencies.
- Principle 4.7 PIPEDA
- Principle 4.7.1 PIPEDA
- Principle 4.7.3 PIPEDA
This summary is informational only and not legal advice.