Wealthsimple reported a data breach affecting some customers due to a supply chain attack via a third-party software package.
Canadian investment platform Wealthsimple disclosed a data breach that impacted some customers. The company discovered the security breach on August 30, which stemmed from a supply chain attack via a trusted third-party software package.
“On August 30th, Wealthsimple detected a data security incident. All accounts remain secure, and no funds were accessed or stolen.” reads the security update published by the company. “We acted quickly and in a few hours the issue was contained. Our security team, with the help of external experts, immediately began a thorough investigation. We learned that a specific software package that was written by a trusted third party had been compromised. This resulted in personal data belonging to less than 1% of our clients being accessed without authorization for a brief period.”
Wealthsimple quickly mitigated the attack and locked out the intruders. The root cause of the incident appears a software package developed by an unnamed third-party services provider. Wealthsimple says less than 1% of its customers’ personal data was compromised in the breach. The accessed data includes personal information like contact details, government IDs provided during the Wealthsimple sign-up process, financial details, such as account numbers, IP address, Social Insurance Number, or date of birth.
The fintech firm highlighted that the intrusion was contained within hours and no funds were accessed or stolen. The attackers did not compromise passwords and all the accounts remain fully secure.
Wealthsimple notified affected clients by email and offered two years of free credit monitoring, darkweb monitoring, ID theft protection, and insurance. A dedicated support team is available, regulators were informed, and enhanced security measures are in place. Non-notified clients were not impacted.
Wealthsimple, founded in 2014 in Toronto, is Canada’s leading fintech with over C$84B in assets and 3M clients. It offers robo-advisory portfolios, commission-free stock/ETF trading, crypto, tax filing, and savings accounts. Backed by Power Corp, it’s praised for ease of use and low fees, though it lacks broader global investment options.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data breach)
