Canadian fintech firm Wealthsimple has confirmed a data breach that exposed sensitive customer information. The incident, detected on August 30, was traced to compromised software supplied by a third-party vendor.
According to Wealthsimple, the exposed data included contact details, government-issued IDs, Social Insurance Numbers, dates of birth, IP addresses and account numbers. The company stressed that passwords were not compromised, no client accounts were accessed and no funds were stolen.
The firm also said it acted quickly, containing the intrusion within hours. Its internal security team, supported by external experts, launched an investigation and notified privacy and financial regulators. All affected customers received direct email communication by September 5.
Support for Affected Clients
Wealthsimple has introduced a package of support measures, including:
-
Two years of free credit monitoring
-
Dark-web monitoring
-
Identity theft protection and insurance
-
A dedicated support team for affected customers
Cyber Risks on the Rise
The Wealthsimple breach is part of a broader trend of cyber incidents in Canada.
In recent months, the House of Commons, WestJet and several Ontario school boards have reported attacks.
An IBM study released this summer found the average cost of a data breach in Canada rose to $6.98m, with breaches in the financial sector averaging nearly $10m.
Wealthsimple, which manages more than C$84b ($60m) in client assets, said it has since enhanced its defenses to prevent similar incidents. The company urged customers to enable two-factor authentication, use strong unique passwords and stay alert to phishing attempts.
“Thank you, as always, for the trust you put in us. We take it very seriously,” the company concluded.
Update Spetember 9. Wealthsimple shared the following statement with Infosecurity: “We apologize for this incident, which happened as a result of a third-party vulnerability. We informed impacted clients as quickly as possible and set up complimentary credit and dark web monitoring, as well as identity theft protections. Significantly less than 1% of our clients were affected. We’re continually strengthening our security infrastructure and have already made improvements to prevent this type of issue from happening again.”
