Canadian fintech firm Wealthsimple has confirmed a data breach that exposed sensitive client details, including financial account numbers and government-issued IDs, following an attack on a third-party software provider. The company disclosed the incident in an “Important Security Update,” first published on September 5, 2025.
Breach Detected and Contained Within Hours
Wealthsimple reported that it discovered the breach on August 30. According to the company, its IT teams acted immediately to contain the issue.
“On August 30th, Wealthsimple detected a data security incident,” the firm stated. “IT teams acted quickly, and in a few hours the issue was contained.”
The fintech reassured customers that all accounts remain secure and emphasized that no passwords or funds were accessed. Despite that assurance, Wealthsimple acknowledged that the attackers gained temporary access to personal and financial records.
Customer Data Compromised in the Breach
Wealthsimple, which serves over three million clients from its Toronto headquarters, revealed that less than 1% of its customers were affected—approximately 30,000 people.
The exposed data included:
- Personal contact details (name, address, email, etc.)
- Government-issued IDs
- Financial account numbers
- Social Insurance Numbers (SIN)
- IP addresses
- Date of birth
Wealthsimple clarified that all affected clients have already been contacted, and reiterated that if customers did not receive a notification, their data was not impacted.
Security Experts Warn of Identity Theft Risks
Although the scope of the breach was limited, security professionals stressed that the exposed information still carries significant risk.
Steve Cobb, Chief Information Security Officer at SecurityScorecard, warned:
“While the incident was contained quickly and no passwords or funds were compromised, the exposed data still represents a significant risk.”
Cobb noted that tens of thousands of users are now vulnerable to fraud.
“Even at 1% of Wealthsimple’s customer base, the breach still includes tens of thousands of users whose information can now be weaponized for identity theft and fraud via social engineering,” he added.
Attack Origin Traced to Third-Party Vendor
Wealthsimple confirmed that the breach originated through a software package provided by a “trusted third party,” though it declined to name the vendor.
Cobb emphasized that the case highlights the risks linked to external providers:
“This incident reinforces the need for organizations handling sensitive data to treat every third-party integration as part of the security perimeter.”
He added that robust protections—including continuous auditing, embedded breach detection, and strict access controls—are critical to preventing similar compromises.
Wealthsimple Distances Itself From Salesforce Breach Campaign
The timing of the Wealthsimple incident raised questions about its connection to the massive Salesforce supply chain breach, which has affected more than 700 companies worldwide. Wealthsimple is listed as a Salesforce customer and has been publicly recognized as a “fastest growing online investment manager” on the CRM giant’s website.
However, a company spokesperson confirmed in an email to Cybernews that the breach was “completely unrelated to software giant Salesforce.” Canadian outlet Betakit reported that Wealthsimple refused to disclose the identity of the third-party vendor.
Fintech Firm Balances Growth and Security Challenges
Wealthsimple has built its reputation as a millennial- and crypto-friendly platform designed for customers under 45 who are often skeptical of traditional banks. Founder and CEO Michael Katchen previously told Salesforce:
“Millennials are missing out on opportunities to secure their financial future. A lot of young people are mistrustful of big banks and put off by the paperwork.”
The company, a subsidiary of The Power Corporation of Canada, issued an apology to impacted customers and acknowledged the anxiety caused by the exposure of personal information. To mitigate risks, Wealthsimple is providing:
- Dedicated customer support
- Complimentary credit monitoring
- Identity theft protection
- Insurance coverage for those affected
Broader Context of Salesforce-Related Attacks
The Wealthsimple breach comes as part of a turbulent year for enterprise cybersecurity. Dozens of major brands have been named as victims in the ongoing Salesforce-focused cyber campaign, including Jaguar Land Rover, Palo Alto Networks, Cloudflare, Zscaler, Workday, Allianz Life, Farmers Insurance, Air France, KLM, Coca-Cola, Cisco, Adidas, Chanel, and Louis Vuitton’s LVMH.
The campaign has been linked to a collaboration between three well-known cybercrime gangs: Scattered Spider, Shiny Hunters, and LAPSUS$, which have publicly taunted both their corporate victims and the FBI.
Wealthsimple, however, has made clear its own data breach was unrelated to this global attack chain.
