A group of investors has filed a lawsuit against several Canadian and U.S. financial institutions, alleging they failed to protect their clients after confidential investor information – including social insurance numbers – was stolen in a January cyberattack.
Merchant Law Group LLP has filed a class-action lawsuit this week against Canadian asset manager Mackenzie Investments; securities brokerage Edward Jones; back-office service provider InvestorCOM Inc., which provides printing and delivery of client materials using a popular data transfer tool called GoAnywhere; and U.S.-based Fortra LLC, the cybersecurity company that owns GoAnywhere.
The class action was filed on behalf of investors who hold Mackenzie funds and reside in British Columbia, Saskatchewan, Manitoba or Newfoundland and Labrador. These provinces have passed privacy legislation that allows for legal consequences if a privacy breach occurs. Other provinces, including Ontario, are not included.
The suit alleges that the January breach, which exposed sensitive information including SINs, originated through GoAnywhere, a secure file transfer software offered by Fortra.
The claim alleges that the vulnerability found in the GoAnywhere software by the attackers was similar to other “well known” data breaches that had occurred in 2021, and should have been a flag for the group of financial companies in the class action to take measures to prevent further attacks on client data.
“These eminent financial organizations were essentially warned that the confidential financial information they had received from Canadians was at risk, but nothing was done,” Tony Merchant, a partner at Merchant Law Group, said in a news release.
“Despite being aware of previous cyberattacks of a similar nature at other companies similar to the defendants, the defendants neglected their responsibility to exercise due diligence in preventing such incidents.”
At the end of March, InvestorCOM informed its clients – which include Mackenzie and Franklin Templeton – about the data breach.
In turn, an unknown number of Canadian investors holding funds from Mackenzie and Franklin Templeton were informed in early May that their personal information – including SINs – had been breached in a data hack. Mackenzie told clients that their SINs, names and addresses were revealed as part of the breach.
Mackenzie spokesperson Hilary Bassett declined to comment on the legal action.
Fund manager Gluskin Sheff + Associates Inc. and Franklin Templeton were also affected, and notified clients of the breach in March. Franklin Templeton said that SINs were not revealed but that investors’ names, addresses and account numbers had been. Gluskin Sheff and Franklin Templeton have not been named in the class action.
Many clients were also notified about the hacks through their investment advisers. Edward Jones and Royal Bank of Canada are just two of the institutions that notified clients who hold mutual funds from Mackenzie or Franklin Templeton that their data were compromised. (RBC is not named in the class action.)
Edward Jones Canada told The Globe and Mail in an e-mail that the company has not been served with the lawsuit and therefore has not yet reviewed it.
“We are aware of a data breach that an industry vendor used by Mackenzie Investments experienced in January of this year,” the e-mail said. “To be clear, no Edward Jones system was compromised in that incident. We take seriously our obligations to safeguard and protect our clients’ information. Our top priority remains serving our clients and helping them achieve financially what is most important to them.”
The breach has left customers questioning why their sensitive data was retained by a third party, through which the data breach occurred. Many of those whose information was stolen had not held assets with either fund provider for several years.
Federal privacy rules require Canadian companies to dispose of personal information that “no longer fulfills its intended purpose,” but there are no specific requirements related to the retention and deletion of SINs.
The legal claim alleges there is a “high probability” that an entire batch of information stolen from the financial companies has been “dumped on the black market or dark web,” as per the previous cyberattacks. It adds that SINs hold significant value for criminals engaged in fraud and identity theft, putting the plaintiffs at an “immediate and heightened risk” of financial losses and reputational damage.
Mackenzie told an investor in a letter dated May 15 and shared with The Globe that it had “no evidence at this time of any misuse of investor data.”
The company said it is offering clients two years of free credit monitoring through TransUnion, as well as fraud-victim assistance, $1-million in identity-theft insurance and monitoring of the dark web for exposed personal information.
But many clients struggled to access the support, saying they received notices that their TransUnion login code had already been used when they attempted to log in for the first time.
Clare O’Hara
Irene Galea