Some Mackenzie Investments clients had personal information — but not holdings or account balances — revealed to hackers in a cyber breach earlier this year, the firm said Tuesday.
In January, Minnesota-based Fortra LLC discovered hackers had created unauthorized user accounts with customers of its managed file transfer service, GoAnywhere, which is touted as a secure way of sending sensitive data. One of those customers was Toronto-based software provider InvestorCOM Inc., a vendor of Mackenzie Investments.
The hackers were able to download files, Fortra said in a blog post in April. The Logic reported on the incident on Monday.
“After receiving notice from InvestorCOM, we took immediate steps to begin a full forensic investigation,” a Mackenzie Investments spokesperson wrote in an email on Tuesday to Investment Executive. “Through our investigation, we recently discovered some personal information of current and some former investors was part of this incident. Financial information, such as client holdings and account balances, were not exposed.”
The incident did not affect investors’ holdings in Mackenzie funds, the firm said, and it has seen no evidence of the data being misused.
“We have begun issuing notifications to impacted investors with more detailed information and the comprehensive steps we are taking and support we are providing to protect them. This includes credit monitoring for a period of two years that features credit monitoring alerts, identity theft protection services, fraud victim assistance and identity theft insurance,” Mackenzie stated.
InvestorCOM declined to comment other than pointing to its own May 1 press release, which said the firm recently became aware of the Fortra cybersecurity incident, which has been contained.
Fortra first learned of the incident on Jan. 30, the vendor said in an email through its agency.
“We immediately took multiple steps to address this zero-day vulnerability, including implementing a temporary service outage of this service to prevent any further unauthorized activity,” the statement said. “As we move forward from this event, we will continuously review our operating practices and security program to ensure we emerge stronger as an organization.”
The Office of the Privacy Commissioner of Canada said Tuesday that it is aware of the matter and is “communicating with organizations to obtain more information and determine next steps.”
The new self-regulatory organization also is observing the matter. “We are not aware of any member firms that are direct clients of GoAnywhere. We are, however, monitoring the situation and looking into the potential scope of the breach,” said Stephanie Teodoridis, senior public affairs and corporate communications specialist with the new SRO, in an email.