Wealthsimple, a Toronto-based financial services firm managing more than CAD$84.5 billion in assets, has confirmed a data breach that exposed sensitive customer information. The company detected the incident on August 30 and has since notified affected clients via email.
According to Wealthsimple’s statement, the breach stemmed from a compromised software package developed by a trusted third party. While fewer than 1% of clients were impacted, the stolen data included personal details such as contact information, government IDs, account numbers, Social Insurance Numbers, IP addresses, and dates of birth.
No Funds or Passwords Compromised
The fintech firm emphasized that attackers did not gain access to customer funds or passwords. “All customer accounts remain secure,” Wealthsimple assured, while stressing that the unauthorized access was brief. Still, the stolen information could be used in phishing or identity theft schemes.
Support for Affected Clients
To mitigate the risk, Wealthsimple is providing impacted customers with two years of complimentary credit monitoring, dark-web surveillance, identity theft protection, and insurance. The company also urged all users to enable two-factor authentication, avoid reusing passwords, and stay alert for fraudulent emails impersonating the platform.
Clarification on Salesforce Connection
The breach initially raised concerns that Wealthsimple might have been caught in a wider wave of Salesforce-related data thefts allegedly tied to the ShinyHunters extortion group. However, the firm clarified that the incident is unrelated. “This attack is not connected to Salesforce,” a spokesperson told BleepingComputer.
Wealthsimple’s disclosure underscores the growing risks financial technology firms face as they expand into diverse services such as trading, crypto, tax filing, and digital banking. With over 3 million Canadian clients relying on its platform, the company’s swift response seeks to reassure customers amid heightened anxiety about data security.