Wealthsimple, a Canadian online investment management service with over CAD$84.5 billion in assets and 3 million users, suffered a data breach on August 30th. Attackers exploited a compromised third-party software package to unauthorizedly access personal data of less than 1% of its clients. The stolen information included contact details, government IDs (e.g., Social Insurance Numbers), financial account numbers, IP addresses, and dates of birth. While no funds or passwords were stolen, the breach exposed sensitive customer data, prompting Wealthsimple to offer two years of free credit monitoring, dark-web monitoring, identity theft protection, and insurance to affected users. The company advised enabling 2FA, avoiding password reuse, and staying alert for phishing attempts. Though initially linked to the ShinyHunters extortion group’s Salesforce breaches, Wealthsimple later clarified the incident was unrelated to Salesforce. The breach highlights risks from third-party vulnerabilities in financial services.

Wealthsimple, a Canadian online investment platform managing over $61 billion in assets, disclosed a data breach affecting less than 1% of its 3 million customers (~30,000 individuals). The incident, detected on August 30, exposed sensitive personal data including contact details, government-issued IDs (e.g., passports/driver’s licenses), account numbers, IP addresses, Social Insurance Numbers (SINs), and dates of birth. While no customer funds or passwords were compromised, the breach involved unauthorized access to a third-party software provider’s system, allowing attackers to exfiltrate onboarding verification documents and personally identifiable information (PII) for a brief period before containment. The breach underscores risks tied to supply chain vulnerabilities in fintech ecosystems, where third-party integrations can become attack vectors. Wealthsimple emphasized that financial accounts remain secure, but the exposure of SINs and IDs heightens risks of identity theft, phishing, or fraudulent account openings. The company did not disclose the root cause (e.g., unpatched flaw, misconfiguration, or credential theft) or the specific third-party vendor involved. Regulatory scrutiny under Canada’s PIPEDA or provincial privacy laws (e.g., Ontario’s Personal Information Protection Act) is likely, given the sensitivity of the leaked data.

The Maine Office of the Attorney General reported a data breach involving Wealthsimple US, Ltd. on November 30, 2020. The breach occurred on October 17, 2020, due to unauthorized access through an external system, affecting 58 individuals, including one resident. Compromised information included personal details and financial account numbers.