Wealthsimple said affected customers would receive two years of free credit and dark-web monitoring, as well as identity theft protection and insurance.Giordano Ciampini/The Canadian Press
Wealthsimple’s security head apologized to customers on Monday after the company revealed a data breach leaked the sensitive information of thousands of its clients. He asserted there was nothing to suggest that the data accessed was misused.
The Toronto-based online financial services provider announced on Friday that a security incident had compromised some customers’ personal information, including social insurance numbers, account numbers, dates of birth and government IDs provided during the Wealthsimple sign-up process.
“We sincerely apologize for any frustration this incident caused our clients,” said Justin Grudzien, chief information security officer at Wealthsimple, in a statement to The Globe and Mail. “We have no evidence to suggest that the data accessed was misused and I can confirm that Wealthsimple was not targeted in this attack.”
According to the company, the breach was detected on Aug. 30 and contained in a few hours. Wealthsimple said the incident is related to a compromised “software package” built by a trusted third-party vendor, though the company declined to provide further details. It also declined to comment in which capacity it worked with the third-party vendor or whether the vendor is still working with the firm.
Wealthsimple said the incident was unrelated to previous attacks on Salesforce, which has recently been at the centre of several malicious cybersecurity breaches.
Wealthsimple asks Ottawa to review rising bank transfer fees
Mr. Grudzien reiterated the company’s statement on Friday that “significantly” less than one per cent of the provider’s clients – roughly 30,000 people out of a customer base of roughly three million – were impacted by the breach.
The company has “already made improvements to prevent this type of issue from happening again,” he said.
While Wealthsimple has said that client passwords weren‘t compromised and no funds were accessed or stolen, experts say that even those who haven’t been notified or directly impacted should take steps to protect themselves.
Sandy Boucher, who leads the investigations and cybersecurity practices at accounting and business advisory firm Doane Grant Thornton, said the full scale of a cybersecurity breach’s impact is not always immediately apparent.
He gave the example of the Yahoo data leaks that unravelled between 2013 to 2016. The first notice from Yahoo Inc. and Yahoo Canada to the public came in December of 2016, of the first breach that happened in 2013.
In Sept. 2016, the public learned of a second breach that happened in 2014. Further announcements were made in 2017 for breaches that occurred years prior.
Mr. Boucher said the first step for customers to take if a service provider experienced a data breach, even if their accounts weren’t immediately compromised, is to secure accounts by changing passwords immediately and ensuring multi-factor authentication is enabled.
If the same password was reused across other devices, the best course of action is changing it across all those accounts, particularly e-mail accounts.
“Think about what it means that the bad guys have all this data: Could they have enough to try and socially engineer themselves into your phone account or your e-mail account or your bank account?” Mr. Boucher said.
Want to keep your money safe online? Some two-factor authentication options are better than others
“Once they get into your e-mail, they’re going to see everything that’s going on,” he said.
The bottom line, he said, is “if you’ve reused the password, absolutely, go change it and don’t reuse the passwords again.”
He also said customers of a service provider affected by a breach of this scale should pay special attention to monitoring bank, e-mail and telephone accounts.
However, Mr. Boucher cast doubt on advice circulating on social media around the need to lock down a SIM card after an incident of this nature, unless there’s specific reason to believe that someone had enough information to take over your phone. While SIM cloning fraud exists, it’s rare and typically targets people who hold a lot of cryptocurrency.
For a typical banking breach, he said, this approach is “a little extreme” and not the most useful step.
Reliable password managers such as LastPass and monitoring services can help by managing strong unique passwords but also monitoring the dark web for compromised credentials.
“It’s really time consuming and irritating, but again, not as bad as being a real victim of fraud,” said Mr. Boucher.
Wealthsimple said affected customers would receive two years of free credit and dark-web monitoring, as well as identity theft protection and insurance. Impacted users were notified directly by e-mail and those who didn’t receive a message by 10:30 a.m. Eastern time on Friday were not affected.
In an e-mail, the company said affected clients are recommended to set up their credit monitoring service as soon as possible.
They can also add fraud-alert notifications to their credit file, which will alert them if someone tries to open credit under their name.