The hackers who claim to have stolen the personal information of thousands of BMO and Simplii Financial customers are demanding a $1 million ransom in the form of Ripple's XRP, according to CBC.
Earlier this week, BMO (Bank of Montreal) and Simplii Financial, a digital bank owned by CIBC, warned customers that crooks are claiming to have stolen their personal data.
The thieves say they have accessed the information - including names, account numbers, passwords, security questions and answers, and social insurance numbers - of around 90,000 customers in total.
CBC is now reporting that an email purportedly from the thieves, that seems to have come from Russia, showed that the crooks demanded $1 million in XRP by the end of this Monday for the safe return of the data.
With the deadline now passed, it is not clear if the ransom was paid or if the data has been released into the wild. BMO told CBC that it is not its practice to pay fraudsters, while Simplii says it is working with law enforcement and cybersecurity experts.
In the email, the hackers also explain how they acquired the data, using an algorithm to get account numbers, which allowed them to pose as authentic account holders who had forgotten their password. This enabled them to reset the backup security questions and answers and gain access to the account.
"They [the banks] were giving too much permission to half-authenticated account which enabled us to grab all these information," says the email, adding that the bank "was not checking if a password was valid until the security question were input correctly."