Canadian financial technology company Wealthsimple has disclosed a security incident involving unauthorized access to customer information. The company confirmed that the breach, detected on August 30, 2025, affected fewer than one percent of its clients and was contained within hours of discovery.
Wealthsimple emphasized that while certain personal details were exposed, all client passwords and financial assets remained fully protected. No funds were accessed, transferred, or stolen during the incident.
Breach Originated From Compromised Third-Party Software
According to Wealthsimple, the incident stemmed from a vulnerability in a trusted third-party vendor’s software package. Attackers were able to leverage the flaw to briefly access customer data.
The company’s internal security team detected the breach quickly and acted within hours to contain the unauthorized activity. External cybersecurity experts were brought in to assist with investigation and remediation. Wealthsimple confirmed that its core systems and account infrastructure were not compromised during the event.
Timeline of the Incident and Response
- August 30, 2025 – Unauthorized access detected and contained within hours.
- Post-incident – External experts engaged to conduct a full investigation.
- September 5, 2025, 10:30 AM EST – Affected clients were notified by email.
The company stressed that clients who did not receive a notification can be assured their data was not impacted.
Data Exposed During the Breach
Investigators determined that a limited set of customer information was accessed. This included:
- Contact details such as names and email addresses.
- Government identification documents submitted during registration.
- Financial information, including account numbers and IP addresses.
- Sensitive identifiers such as Social Insurance Numbers and dates of birth.
Despite the exposure of these records, the company confirmed that client credentials and funds were not impacted. Wealthsimple stated that passwords remained secure, ensuring no unauthorized account access could occur.
Data That Remained Protected
- Client passwords were safeguarded, preventing misuse of login credentials.
- Financial assets remained untouched, with no transfers or withdrawals carried out.
Wealthsimple highlighted that its layered security controls protected the most critical aspects of its platform, ensuring that clients retained uninterrupted and secure access to their accounts.
Company Actions and Ongoing Protections
Following the incident, Wealthsimple completed its client notification process and implemented additional security measures designed to prevent similar breaches. The company said it is reinforcing its systems against supply chain vulnerabilities while continuing to work closely with external experts.
In its disclosure, Wealthsimple underlined its commitment to protecting client trust, pointing to the swift response, the limited impact, and the absence of any compromise of financial assets as evidence of its resilience.
