Personal Data of 90,000 Customers Stolen in Canadian Banking Hack, XRP Demanded as Ransom

A group of hackers stole the personal data of roughly 90,000 users from two Canadian banks, threatening to release the information unless a ransom of $1 million is paid in Ripple’s cryptocurrency, XRP.

Customers of the two banks involved, Bank of Montreal and Simplii Financial, are rightfully a bit distressed. Data breaches are becoming an increasingly common and newsworthy phenomenon in 2018. Debates rage on about how users can best protect their personal details in the digital age, while data stewards like Facebook attract the ire of customers and governments alike for the cavalier way in which they manage users’ data assets. Anyone with an email inbox will be aware of the recently introduced GDPR (General Data Protection Regulation), a regulation in EU law intended to protect the personal data of all individuals within the EU, with repercussions being felt globally. Data protection is a major theme in today’s digital ecosystem, and one that won’t go away anytime soon.

In the early days of online banking, many folks were eager to trade their privacy and security for convenience. While the majority of online banking users have not suffered a serious, debilitating breach, some are slowly beginning to consider if that trade was truly worth the risk. As reported by Canadian news site CBC News on a story about the hack, some are expressing buyer’s remorse:

“It’s concerning,” Mike McCarthy of Edmonton, a customer of Simplii, said. “I’m not sure in this day and age what I can do to get control of that data again.”
“Some of those things you can’t change about yourself so I’m sure it’s going to exist out there for as long as someone wants to look for it.”
McCarthy says he’s heartened by the bank’s response, offering free credit monitoring and some other services. But he still worries about what he calls “glaring gaps” in the banking system.
“Who knows? Maybe I go back to showing up at the teller,” he said. “I don’t want to, but who knows what might happen next?”​

There is something ironic about two traditional, centralized banks being hacked with cryptocurrency specified as ransom. The case for keeping your money with a bank versus underneath your mattress is obvious: security, customer support, access to various banking services like credit monitoring, recourse should your funds be stolen, some small bit of interest, etc. In its current form, decentralization as an alternative to a central bank addresses just some of these needs. As it regards the security of personal data (not the funds themselves), decentralized finance is more airtight by its very nature. Since no personal details need be associated to funds/accounts, a crypto user can thus be insulated and not have to worry about the accessibility of data they never shared. As personal data leaks become a household conversation topic, this will continue to be a point of emphasis for crypto advocates.

Another theme interwoven in this story is the specific cryptocurrency choice the hackers made. Firmly entrenched as the third largest cryptocurrency by market share, XRP is divisive across the crypto community. Bitcoin maximalists disregard it as a crummy alt-coin with no real value proposition, while Ripple’s fans extol its many bank partnerships, varied service lines, quick transaction times, and cross-border payment solutions (given the hackers have already been traced to Russia, that last factor is quite applicable here.)

The response on Ripple’s subreddit was interesting; while there is a consensus that hackers are bad, one commenter wondered if wanting XRP instead of Bitcoin in a high-profile ransom case could be positive publicity. Others speculated this could be a nefarious plot to tarnish XRP’s reputation, speculations that were generally dismissed. Many participants made bank partnership jokes, a kind of in-joke in the Ripple community given how often new partnerships are rumored and announced. But one thing that stood out were ruminations on XRP as one of the most traceable cryptocurrencies. Why then, would hackers demand XRP and not a privacy-focused coin like Dash or Monero? Or why not just use Bitcoin and keep it simple? The Crypto Economist does not know and would never dream of engaging in irresponsible speculation. And as is often the case with most high-profile crimes, we will probably never find out.

Disclosure: This post, as with all Crypto Economist branded posts, is a personal opinion written for informational purposes only. This post does not constitute investment advice, legal advice, tax advice, or any other sort of advice. Likewise, the information herein should not be interpreted as any endorsement, recommendation, or sponsorship of any particular company, token, or security.