Skip to main content

The Globe and Mail

A robo-adviser's best defence against cyber threats? The in-house hacker

Justin Bull, left, and Lee Brotherston work at Wealthsimple, keeping a watchful eye on possible security breaches.


It's been three years since Justin Bull, a 26-year-old software engineer and hacker enthusiast, first identified the famed Heartbleed virus that penetrated the Canada Revenue Agency website causing 900 taxpayers' files – including social insurance numbers – to be compromised. Today, Mr. Bull continues to use his hacking abilities for the greater good in helping enhance cybersecurity for robo-adviser Weathsimple Financial.

Mr. Bull, who works in-house at Wealthsimple for the online portfolio managers as a full-time software engineer, is constantly keeping a watchful eye on possible security breaches for the company that just entered the industry two years ago and houses more than 30,000 client accounts.

"I taught myself programming at the age of 14 and ended up having a flair for the hacker side of it all, and while most teens wanted to spend their time exploring abandoned houses, I found hacking to be the equivalent of that," says Mr. Bull, who jokingly compares his teenage years with the "bad 1990s film Hackers."

Story continues below advertisement

"As I matured and grew older, I become more interested in building secure systems, breaking into [systems that companies allowed me to] and getting them fixed. For me, it was always about being a good, ethical person – not about finding information that could be sold on the black market."

The use of online hackers – also known as bug bounty hunters – is now becoming common practice among several Canadian robo-advisers to help increase security measures.

In addition to Wealthsimple, Wealthbar and Questrade Financial Group also incorporate the use of third-party hackers to assist in their security measures. (Other Canadian robo-advisers were not immediately available for comment.)

"Historically, the financial community may have looked at hackers as individuals who could potentially breach their company, but that view has really changed over the years with many of these responsible individuals helping report any vulnerabilities they find," says Chris Nicola, president of Wealthbar in Vancouver who uses a Canadian-based third-party "hacking" company for security measures.

In addition to having the watchful eye of Mr. Bull, six months ago Wealthsimple hired Lee Brotherston – another experienced hacker enthusiast – as their internal director of security.

"Although we do monitor systems for attacks, the vast majority of time is spent putting in place methods to reduce the probability of a successful attack in the first place," says Mr. Brotherston, who started hacking at the age of 14 and continues to hack part-time as a hobby.

Questrade hasn't brought on any internal hackers to test their systems directly, but rather has been using a local hacker group to help build awareness of the mindset and tactics used by hackers.

Story continues below advertisement

"We are looking at educating our entire company to help them understand how vulnerability gets exploited," says Christine Day, chief information officer at Questrade. "We want them to be aware of the perspective of the hacker, what the hacker actually sees when they are going to hack an organization relative to what is seen internally – that is extremely important for us to understand when it comes to cybersecurity."

Mr. Brotherston also works closely with third-party hacker communities – such as HackerOne, a company that helps connect more than 100,000 registered hackers with businesses looking to pay rewards for finding holes in their systems. More than 50 per cent of HackerOne's hackers are under the age of 24 – with 6 per cent being under 17, according to a 2016 report compiled by HackerOne. Hackers can be paid anywhere from $50 for small bugs, to up to tens of thousands of dollars for major bugs found in a company system.

Both Mr. Bull and Mr. Brotherston have been paid for several bugs they have found for companies outside of Wealthsimple – although nothing that would reap them riches, they say.

"You don't get into information security because it's a job to pay the bills," Mr. Brotherston says. "You get into it because it's an interest and a passion that you can turn into a job."

Report an error Editorial code of conduct
We have temporarily removed commenting from our articles. We expect to have our new commenting system, powered by Talk from the Coral Project, running on our site by the end of April, 2018. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to