Cybercriminals may have the stolen data of nearly 90,000 customers from two of Canada’s largest banks in what appears to be the first significant cyberattack on a Canadian financial institution.

Bank of Montreal and Canadian Imperial Bank of Commerce (CIBC) both announced Monday they had each been contacted by fraudster’s claiming to have stolen personal and financial information of a limited number of the bank’s customers.

A spokesperson from the Bank of Montreal, the country’s fourth-largest lender, said they believe less than 50,000 were affected by the incident, however, declined to say whether any customers lost money as a result of the attack.

The scammers threatened to make the data public and the bank is working with authorities to conduct an investigation. Officials believe this attack originated from outside the country.

CIBC, the nation’s fifth-largest lender, said it has not yet confirmed the cyber breach but is taking the claim seriously of stealing the information of 40,000 customers from the bank’s Simplii direct banking brand.

Both banks are contacting those who have been affecting and are providing instruction on how to monitor their accounts for suspicious activity. 

Despite this being the first attack of its kind on a major Canadian bank, researchers said the attack is far from unusual.

“These attacks are as common as it gets,” Joseph Carson, chief security scientist at Thycotic, told SC Media. “Banks are, and will continue to be, prime targets and cybercriminals are trying to get past bank security thousands of times a day.”

Carson called it surprising that the cybercriminals made the attack public via the media, which is an unusual step that typically results in them not getting any financial gain. He added that it’s more common for criminals to sell the stolen data to other cybercriminals who will abuse the information however, it looks like the criminals here attempted to extort the banks as well.

Overall, researchers called the attacks disturbing. James Lerud, head of the Verodin Behavioral Research Team, told SC Media that both banks found out about the stolen data from the hackers  meaning that their detection and prevention measures utterly failed.

“This is plainly an extortion attempt, where the hackers threaten to publish stolen data unless they receive a ransom,” Lerud said. “It’s hard to say what the motivation for demanding the ransom is.”

He went on to say this could be because the stolen data isn’t as valuable as the hackers made it out to be and that the attackers would still use the stolen information even if paid.

Mukul Kumar, CISO and vice president of the cyber practice at Cavirin, said the banks need to understand where the threat came from because this appears to be an escalation and a different type of database that was compromised.

“Here in the U.S., members of Congress have called for more secure forms of identification. Frankly, this could be one of the final nails in the coffin for traditional forms of national identification,” Kumar said. “The U.S. and Canada will need to work harder on this moving forward because the problem is not going to go away.”