Simplii is a low-priced online bank owned by Canadian Imperial Bank of Commerce, and was launched past year after CIBC - which is Canada's fifth-largest bank - split from a two-decade partnership with Loblaw Cos.
The fraudsters said they accessed information such as names, account numbers, passwords, security questions and answers and even social insurance numbers and account balances by exploiting weaknesses in the two banks security systems.
Just one hour after Simplii Financial's statement, the Bank of Montreal issued a statement of its own about an attack which it believes originates from outside the country.
BOM said it has notified and is working with relevant authorities as it continues to assess the situation; reports indicate it has affected up to 50,000 customers.
BMO said that a limited number of customers were impacted: "We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off", the company said in a statement.
Both BMO and CIBC said they will contact clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.
"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures", Michael Martin, Senior Vice-President at Simplii Financial stated.
"We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster and a threat was made to make it public".
As for Simplii, the direct banking brand had previously announced that fraudsters may have accessed data from its client's accounts.
The banks are now in the process of contacting potentially affected customers.
"Our practice is not to make payments to fraudsters", Bank of Montreal said.
Cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada says cyber incidents overall are skyrocketing and companies need to work to improve resiliency in the event of attack.