Toronto-based investment firm confirms that third-party vendor InvestorCOM Inc. was compromised, affecting clients’ names, social insurance numbers, and personal addresses.
- The breach occurred when hackers exploited a zero-day vulnerability in data transfer supplier GoAnywhere’s file transfer system, affecting organizations worldwide.
- Mackenzie Investments has reported the incident to privacy authorities and is offering impacted customers credit monitoring alerts, identity theft protection services, and fraud victim assistance.
A cybersecurity breach at one of Canada’s largest investment firms, Mackenzie Investments, has exposed clients’ personal information, including names, social insurance numbers, and addresses. The Toronto-based firm confirmed the incident to CTV News Toronto on Wednesday, revealing that third-party vendor InvestorCOM Inc. was compromised in relation to data transfer supplier GoAnywhere.
Mackenzie Investments was informed of the breach by InvestorCOM on March 28, as stated in a letter dated April 27 and signed by Mackenzie’s President and Chief Executive Officer, Luke Gould. The letter, which was sent to a client and obtained by CTV News Toronto, disclosed that the account number, name, address, and social insurance number of the client were exposed during the data breach.
The letter reassures clients that financial information, such as holdings and account balances, was not exposed in the incident. Moreover, it emphasizes that investors’ holdings in Mackenzie funds were not impacted, and the firm’s systems have not been compromised.
The breach occurred when hackers exploited a zero-day vulnerability in GoAnywhere’s file transfer system and accessed customers’ data at the end of January. Organizations around the world were affected by the ransomware attack, including Proctor and Gamble, Rubrik, and the City of Toronto.
In a statement released on Wednesday, a Mackenzie spokesperson said that after receiving notice from InvestorCOM, the firm immediately initiated a full forensic investigation. The investigation revealed that the personal information of current and some former investors was part of the incident. However, there has been no evidence of data misuse so far.
Mackenzie Investments has reported the incident to the federal privacy commissioner and provincial privacy commissions. The firm is offering impacted customers credit monitoring alerts, identity theft protection services, fraud victim assistance, and identity theft insurance in response to the breach.
Mackenzie Investments deeply regrets any concern or inconvenience caused by this incident and remains committed to protecting the confidentiality of all personal information.