Mackenzie Investments, one of Canada’s largest investment firms, recently suffered a data breach that exposed the social insurance numbers (SIN) of its clientele, along with other personal information.
The breach happened in late March after a third-party vendor, InvestorCOM Inc., was targeted by a cyber security attack related to data transfer supplier GoAnywhere.
Now, the incident has raised concerns about potential privacy breaches and the security practices of third-party vendors, with a former high-level employee describing the incident as “so dangerous.”
Terry Beck, who retired from the company in 2019, told CTV News Toronto that he received a letter from Mackenzie stating that his SIN had been compromised in the breach.
Like Beck, clients impacted by the breach received a letter from the firm dated April 27 informing them of the incident.
According to one of the letters reviewed by CTV News Toronto, Mackenzie informed its clientele that their account numbers, names, and addresses had also been compromised.
“This is so dangerous,” Beck told the news outlet. “It’s an opening of a door to a lot of places.”
He went on to say that SINs were not shared with third-party vendors when he was manager of operations at Mackenzie four years ago, as he expressed concerns that the practice could lead to further privacy breaches.
In response to these concerns, a spokesperson for Mackenzie Investments explained that the company now uses SINs to identify and provide notifications to clients.
“Companies may use SINs as an identifier for reasons such as consolidating investor holdings so that fees associated with their account are reduced,” the spokesperson told CTV News Toronto. “They may also share a client’s SIN as a unique identifier to third parties such as a dealer, group plan sponsor, and third-party service providers.”
Mackenzie has previously issued a statement regarding the data breach, stating that it regrets the impact that the incident has had on its clients. “Mackenzie takes privacy and data protection very seriously and we are committed to protecting the confidentiality of all personal information,” the statement read. “We greatly regret any concern or inconvenience this incident may cause to our valued clients.”
Mackenzie is among the handful of Canadian organizations recently impacted by cyberattacks. In April, Yellow Pages Canada was revealed to have suffered a data breach that exposed the personal information of employees and some customers.
What are your thoughts on this story? Feel free to comment below.