Wealthsimple says a recent cybersecurity breach exposed sensitive client information, including Social Insurance Numbers and account numbers.
The Toronto-based online bank and investment firm says the breach was linked to a compromised software package built by a trusted third-party vendor. The issue was detected on Aug. 30.
“We acted quickly, and in a few hours the issue was contained,” the company said in a statement. “Our security team, with the help of external experts, immediately began a thorough investigation.”
Wealthsimple says the affected data was accessed only briefly and that all client accounts remain secure.
What wasn’t accessed
No client passwords were compromised, no funds were accessed or stolen, and all accounts remain secure.
What was accessed
Data exposed may include contact details, government ID, account numbers, IP addresses, dates of birth and Social Insurance Numbers (SINs)
The company later confirmed that the incident affected fewer than one per cent of its clients.
Wealthsimple says all impacted users were notified directly by email. Anyone who did not receive a message by 10:30 a.m. ET on Sept. 5 was not affected.
Affected clients are being offered two years of free credit monitoring, dark web surveillance, identity theft protection and insurance.
Wealthsimple also says it has strengthened internal systems since the incident and is encouraging all clients to take these steps to protect their information online:
Enable two-factor authentication (2FA) with an authenticator app for added login securityWatch for phishing attempts: Wealthsimple says it will never ask for passwords, authentication codes or request money transfersAvoid reusing passwords across platformsReport suspicious messages or calls to Wealthsimple support