Wealthsimple has disclosed a data security incident that occurred on August 30, confirming that fewer than 1% of its clients had personal information accessed without authorisation for a short period.
The breach was traced to a compromised software package provided by a trusted third-party vendor. Wealthsimple said it contained the issue within hours and brought in external cybersecurity experts to assist with an investigation. It added that all accounts remain secure, no passwords were compromised, and no funds were stolen.
The exposed data included client contact details, government identification submitted during account sign-up, account numbers, IP addresses, Social Insurance Numbers, and dates of birth. Clients affected by the incident were notified by email by September 5.
To mitigate the impact, Wealthsimple is offering two years of free credit and dark-web monitoring, identity theft protection, and insurance coverage. The company has also reported the breach to privacy and financial regulators and set up a dedicated support team.
Broader Canadian context
The Wealthsimple breach comes amid a series of high-profile cyber incidents in Canada.
In August, the House of Commons confirmed an attack linked to a Microsoft SharePoint vulnerability, which exposed staff information and device details. In June, WestJet reported a cybersecurity incident affecting its mobile app and internal systems. Ontario school boards have also been impacted by ransomware targeting PowerSchool, leaving sensitive student and staff data at risk.
Industry data suggested the financial impact of breaches in Canada is escalating. An IBM study released this summer reported that the average cost of a data breach in Canada has risen to $6.98 million, a 10.4% increase from the previous year. Breaches in the financial sector cost closer to $10 million on average, making it one of the hardest-hit industries.
For the financial services sector, the incident underscores the increasing reliance on identity theft protection and cyber insurance as part of breach response strategies. Institutions are using bundled coverage to reassure clients and limit reputational fallout. Insurers, meanwhile, are seeing greater demand for cyber policies that cover third-party vendor risks and the regulatory obligations that follow a breach.
Looking ahead
Wealthsimple said it has enhanced its systems to prevent similar incidents and is encouraging clients to adopt further safeguards, including two-factor authentication, vigilance against phishing attempts, and unique, strong passwords.
Canadian financial firms are expected not only to protect data but also to provide immediate insurance-backed remedies when breaches occur. With costs rising and consumers increasingly concerned about personal data security, insurers and financial institutions are under pressure to strengthen cyber resilience and expand coverage options.
