Several of Canada’s major wealth managers are notifying fund investors that their personal information – including social insurance numbers – has been breached in a data hack.
Mutual fund providers Mackenzie Investments and Franklin Templeton Canada are among the companies that have sent letters to clients this week, revealing that their personal information was stolen in a cyberattack at the end of January.
Related: Two cybersecurity stock ideas for buying on the dip. Plus, why Rogers is due for a rebound
The breach is linked to back-office service provider InvestorCOM Inc., which provides printing and delivery of client materials, which used the popular data transfer tool GoAnywhere. Fortra, the cybersecurity company that owns GoAnywhere, recently said it could have been breached as early as Jan. 18. Companies and organizations around the world have been affected, including The Procter & Gamble Company, multinational power company Hitachi Energy and the City of Toronto.
Mackenzie Investments said in its letter to clients that social insurance numbers, names and addresses were revealed as part of the breach. Franklin Templeton said that SINs were not revealed but that investors’ names, addresses, account numbers and, in some cases, dealer account numbers had been. Neither company shared how many clients had been affected.
GoAnywhere’s clients also include fund manager Gluskin Sheff + Associates Inc., which learned of the breach from GoAnywhere in early March. In mid-March, social-media postings from a group that calls itself “CIOp ransomware” identified Onex Corp., which owns Gluskin, as one of 130 corporate targets of a data-theft campaign.
Many clients have also been notified about the hacks by their investment advisers. Edward Jones and Royal Bank of Canada are just two of the institutions that have also notified clients who hold mutual funds provided by these two companies that their data were compromised.
In a letter to clients, Edward Jones said it was tightening controls around account access, transactions and payment processing.
The scale of the breach demonstrates how companies can be vulnerable to data breaches through third-party sources and vendors providing basic internet services, a problem that experts say will only get worse as technology companies become increasingly interconnected.
Indigo employees’ personal information breached as part of ransomware attack on retailer
In a statement, InvestorCOM said it has many clients and “can confirm that only a small number of our Canadian clients were impacted.”
Toronto Dominion Bank and RBC are both InvestorCOM customers, according to the vendor’s website. These companies did not respond to The Globe’s questions about whether they too had experienced breaches of their own.
Mackenzie Investments said it is offering two years of free credit monitoring via a TransUnion Credit Report, fraud-victim assistance, $1-million in identity-theft insurance and Dark Web monitoring for exposed personal information. However, it warned customers they would need to stay vigilant for credit cards opened in their name, mail redirect notices or unexpected account statements.
In separate e-mails, spokespeople for AGF Management Limited, HSBC Bank Canada, Invesco, Caldwell Securities Ltd. and Equitable Life of Canada Inc. – all also identified by InvestorCOM as clients – said their companies had not been affected by the breach.
“What this illustrates is that you don’t just have to be concerned about your own security as a provider of goods and services, but of your suppliers’ security and the entire technology supply chain,” said Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University (formerly Ryerson).
Data breaches like the attack on GoAnywhere are increasingly being used to exploit less-sophisticated security systems to get at larger institutions with fewer vulnerabilities, Mr. Finlay said. “It’s a growing challenge and there isn’t an easy solution in sight.”
In letters to clients, Mackenzie Investments said it was only informed by InvestorCOM of the breach on March 28, and Franklin Templeton said it received copies of the files involved with the unauthorized access on April 4 – in each case, more than two months after the initial breach.
Lisa Kearney, chief executive officer of the Women CyberSecurity Society Inc., said that it’s concerning these companies did not catch the unauthorized access sooner, and speaks to a lack of pro-active measures to detect security incidents, she said.
Moreover, while reviews of data breaches can take months to complete, companies often notify customers of possible data loss within a few days, she said, noting the companies could have acted more quickly to inform investors of the attack.
The Office of the Privacy Commissioner of Canada said it was aware of the breach and is working with organizations to determine next steps.
Editor’s note: This story has been changed to remove a reference to RBC providing clients with identity-theft insurance and credit monitoring. Those services are being provided to clients by Mackenzie.