Cyber Incident Victim: InvestorCOM
Date:
Jan 2023
Location:
Canada
Summary
A data breach at third-party vendor InvestorCOM compromised personal information of Mackenzie Investments and Franklin Templeton clients through vulnerabilities in the GoAnywhere file-transfer tool. Exposed data included names, addresses, and social insurance numbers for some Mackenzie investors, though Franklin Templeton confirmed SINs were unaffected in their case. The incident revealed concerns about prolonged retention of former clients' sensitive data by service providers. Affected individuals reported difficulties accessing promised identity protection services, including invalid enrollment codes, extended call wait times, and discrepancies in advertised insurance coverage limits. The breach prompted criticism from financial advisors regarding the adequacy of response measures and eroded client trust in the investment firm's data handling practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2023, a data breach occurred involving the GoAnywhere secure file-transfer tool used by InvestorCOM Inc., a third-party service provider handling printing and delivery services for financial institutions including Mackenzie Investments and Franklin Templeton. Hackers exploited vulnerabilities in GoAnywhere’s software to access sensitive client information stored by InvestorCOM. The compromised data included names, addresses, and social insurance numbers (SINs) of current and former Mackenzie Investments clients. Franklin Templeton clients were also affected, though their SINs were not exposed. The breach remained undetected until GoAnywhere notified its clients in early March 2023, with Mackenzie Investments issuing formal notification letters to impacted individuals on April 27, 2023—nearly four months after the initial intrusion.
The incident revealed that InvestorCOM retained personal data of investors who had divested from Mackenzie funds years prior, including former executive Terry Beck, who had exited his investments in 2019. Affected clients reported difficulties accessing the two-year identity protection and credit monitoring services Mackenzie offered through TransUnion, with issues ranging from invalid registration codes to multi-hour call wait times and discrepancies in promised insurance coverage limits. TransUnion attributed delays to unexpectedly high call volumes. Legal scrutiny emerged over InvestorCOM’s data retention practices, as PIPEDA requires disposal of personal information that no longer serves its purpose, though no specific rules govern SIN retention. Mackenzie cited varying record-keeping mandates—such as six years under tax law or seven years for securities compliance—as justification for retaining data. Financial advisor Jason Jack criticized the response as inadequate, citing reputational risks and client distrust stemming from the breach.