Waratah Capital Advisors Ltd., a $4-billion hedge fund manager that handles money for wealthy Canadians, is dealing with a cybersecurity breach that may have exposed sensitive client information including names, social insurance numbers and account sizes.
Toronto-based Waratah disclosed in a note to clients this week that it is dealing with a cybersecurity incident and that its investigation is continuing.
The money manager said it is still determining the extent of the breach, but its investigation has found certain personal information may have been impacted, including investor names, addresses, SINs, dates of birth, phone numbers, account numbers and amounts of investments.
So, you’ve been hacked. Now what?
Waratah manages approximately $4-billion in assets for high-net-worth individuals, family offices, foundations and pension funds.
“Despite our commitment to taking the privacy and security of our clients’ information seriously and having in place robust safeguards – including advanced firewalls, regular penetration testing and comprehensive employee training – an unauthorized party was able to access certain Waratah information through a third-party IT provider,” the money manager told clients.
Waratah discovered the breach on June 24, and its investigation determined that the incident “involved our backup systems managed by our IT provider and was not a result of direct intrusion on our internal network.”
The sensitive information that may have been retrieved was stored in records provided to the money manager. Waratah has reported the breach to law enforcement.
Cybersecurity breaches, or hacks, are on the rise and a growing list of Canadian companies that store sensitive private information have been affected.
In 2019, LifeLabs Medical Laboratory Services, Canada’s largest lab testing company, dealt with a major cyberattack that led to the theft of lab results for 85,000 Ontarians and potentially the personal information of 15 million customers. In response, LifeLabs paid a ransom to the hackers.
The same year, Desjardins Group responded to a major data breach that affected all 4.2 million of its customers. However, that breach, which involved personal information including SINs, but not banking information or passwords, was the result of an employee who went rogue.
Because these breaches have become so common, a growing number of institutions now regularly pay for cyberinsurance in the event they have to pay a ransom after an attack. They also sometimes spend billions of dollars each year, depending on the size of the organization, on technology and security to keep hackers out.
However, technology is getting so advanced, and the threats are becoming so common, that it can be difficult for smaller organizations to keep up.
Hackers are also able to find low-cost ways in, such as convincing employees who have access to sensitive information to click links in e-mails that give hackers access to their computers or credentials.
Third-party information technology managers have also become targets. In 2023, mutual fund providers Mackenzie Investments and Franklin Templeton Canada were affected by a hack of this type and personal information – including SINs in some cases – was stolen.
Waratah was founded in 2010 by Blair Levinsky and Brad Dunkley. Prior to teaming up, Mr. Levinsky was a managing director at TD Securities and Mr. Dunkley was a portfolio manager at Gluskin Sheff + Associates Inc.
Waratah told clients its full investigation could take several weeks, and the money manager is offering them 24 months of complimentary credit monitoring.