A data breach of social insurance numbers (SIN) belonging to the clientele of one of Canada’s largest investment firms is “so dangerous,” according to a former high-level employee at the company.
Terry Beck was the Manager of Operations at Mackenzie Investments, and an employee at the company for nearly 20 years, up until he retired in 2019. When he left, he divested his investments.
Yet a couple weeks ago, he said he received a letter from the corporation explaining that his SIN was compromised in a data breach.
Mackenzie informed clients in a letter dated April 27 that a third-party vendor, InvestorCOM Inc., was compromised by a cyber security incident related to data transfer supplier GoAnywhere. Clients’ account numbers, names, and addresses were also compromised, according to one of the letters, reviewed by CTV News Toronto.
“This is so dangerous,” Beck told CTV News Toronto. “It’s an opening of a door to a lot of places.”
To work in Canada or access government programs and benefits, a nine-digit number – known as a SIN – is assigned to an individual. It is “private” and “illegal” for anyone else to use, according to the federal government.
“It’s the gateway to the government,” Beck said.
He said that when he was manager of operations four years ago, SINs were not shared with third-party vendors and that the practice could lead to continued privacy breaches.
A spokesperson for Mackenzie later disputed this fact, telling CTV News Toronto it was not correct.
In a statement on Monday, a Mackenzie spokesperson explained the company now uses SINs to identify and provide notifications to clients.
“Companies may use SINs as an identifier for reasons such as consolidating investor holdings so that fees associated with their account are reduced,” a spokesperson said.
“They may also share a client’s SIN as a unique identifier to third parties such as a dealer, group plan sponsor, and third-party service providers.”
Beck acknowledged the necessity of consolidating a client’s accounts, but he questioned why a random set of numbers couldn’t stand in as a unique identifier, instead of a highly sensitive form of government identification.
“It could rear its head at any time down the road,” Beck said.
In a statement issued following the ransomware attack, Mackenzie said it regrets the effects the breach has had on their clientele.
“Mackenzie takes privacy and data protection very seriously and we are committed to protecting the confidentiality of all personal information. We greatly regret any concern or inconvenience this incident may cause to our valued clients,” a company spokesperson said in the statement.
The spokesperson said there has been no evidence of data misuse at this point in time and that the company reported the incident to the federal privacy commissioner, in addition to provincial privacy commissions.
LONG WAITS FOR RESOURCES
Shelly Rae, a Toronto resident and Mackenzie investor of about three decades, said she was concerned when she received a letter in the mail explaining that her personal information had been exposed.
“When someone has your name, phone number, address and SIN, that’s a pretty significant breach,” she said. “They can go on to steal your identity.”
After being notified that her information had been compromised, she said she spent about 10 hours on the phone in an attempt to sign up with a TransUnion credit monitoring service that Mackenzie is offering to impacted customers.
A Mackenzie spokesperson said the company is experiencing “particularly high volumes” of calls, leading to long wait times for victims of the breach seeking resources.
They said they “sincerely apologize” for the delays.
“The TransUnion call centres are doing their best to address all client concerns as quickly as possible by enhancing service capacity to help manage call volumes. We are proactively working with TransUnion to manage the high volume of calls and appreciate people’s patience,” the spokesperson said.
Despite credit monitoring services offered, Beck said “there’s nothing you can do” to change the fact that your SIN number is out there. “It will always be out there,” he said.
Mackenzie noted that it is monitoring a range of sources for exposed data and to date have found no evidence of misuse.