Wealthsimple, a leading Canadian online investment management service, has disclosed a data breach after attackers stole the personal data of an undisclosed number of customers in a recent incident.
Founded in 2014 and headquartered in Toronto, the financial services firm holds over CAD$84.5 billion in assets (approximately $61 billion). It offers a wide range of financial products targeting investments, trading, cryptocurrency, tax filing, spending, and savings to over 3 million Canadians.
Wealthsimple's Android app has over 1 million downloads on the Google Play Store, while its iOS app has collected over 126,000 ratings from Apple users.
As shared in an official statement and breach notifications emailed to customers (seen by BleepingComputer), the company detected the breach on August 30th.
Wealthsimple stated that the attackers did not steal any funds and did not compromise passwords, ensuring that all customer accounts remain secure.
"We learned that a specific software package that was written by a trusted third party had been compromised. This resulted in personal data belonging to less than 1% of our clients being accessed without authorization for a brief period," Wealthsimple said.
"Data that was accessed was personal information like contact details, government IDs provided during the Wealthsimple sign-up process, financial details, such as account numbers, IP address, Social Insurance Number, or date of birth."
Since detecting the incident, the financial services company has notified impacted customers via email, and it is now providing them with two years of complimentary credit monitoring, as well as dark-web monitoring, identity theft protection, and insurance.
Affected customers are advised to secure their accounts using two-factor authentication (2FA) with an authenticator app, never reuse passwords, and remain vigilant against potential phishing attempts impersonating Whealthsimple.
Breach likely part of Salesloft supply-chain attack
... continue reading