Canadian fintech Wealthsimple reports data breach affecting less than 30,000 clients
Learn More
Wealthsimple, a Canada based online investment management service, is reporting a data breach that exposed sensitive personal information of approximately 30,000 clients.
The company detected the security incident on August 30, 2024, and publicly disclosed it on September 5, 2024. The breach was caused by a compromised software package developed by a trusted third-party vendor. The unauthorized access affected less than 1% of the company's client base, which translates to approximately 30,000 individuals based on their total customer count of 3 million Canadians.
Wealthsimple claims that no customer funds were stolen, no account passwords were compromised, and all customer accounts remain fully secure. Exposed data includes:
- Contact details (names, addresses, phone numbers, email addresses)
- Government-issued identification documents provided during the signup process
- Financial account numbers
- IP addresses
- Social Insurance Numbers (SINs)
- Dates of birth
The number of affected individuals is less than 30,000 clients, representing less than 1% of Wealthsimple's total customer base. The financial value of the incident and the specific method used by attackers to exploit the third-party software vulnerability have not been disclosed by the company.
Wealthsimple sent direct email notifications to all impacted clients by 10:30 AM Eastern Time on September 5, 2024. The company is providing affected customers with two years of complimentary credit monitoring services, dark web monitoring, identity theft protection, and insurance coverage.
Wealthsimple spokesperson clarified that this security incident is not related to the ongoing Salesforce data breach campaign that has affected multiple organizations.
Update - as of 8th of September 2025, a company representative reached with a clarification stating that "significantly less than 1% of customers were affected" (quoted below) , but did not provide an exact number. Their help page about the incident still states "This resulted in personal data belonging to less than 1% of our clients being accessed without authorization for a brief period."
We apologize for this incident, which happened as a result of a third-party vulnerability. We informed impacted clients as quickly as possible and set up complimentary credit and dark web monitoring, as well as identity theft protections. Significantly less than 1% of our clients were affected. We’re continually strengthening our security infrastructure and have already made improvements to prevent this type of issue from happening again.
