Security Incident | Wealth One Bank of Canada | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Security Incident
July 16, 2021
12:43 pm
HIS285
Member
Members
Forum Posts: 36
Member Since:
November 29, 2014
sp_UserOfflineSmall Offline

Today (July 16) I received a letter from WealthOne dated July 12 saying that there had been an incident that could affect the security of my personal information, including my name, date of birth, email address, address and phone number. I haven’t seen anyone else discuss this recently (though I was told that this affected many clients).

The letter says that on around May 8, 2021 a third party gained access to the email account of a WealthOne employee. It continues “the investigation did reveal that some of your personal information was available in the compromised mailbox… Based on our investigation, the information available in the compromised mailbox includes your name, date of birth, email address and may also include… address, phone number… customer number…and bank account information (…bank account number and account balance).”

What is of greatest concern to me is the fact that all this information was apparently just sitting in a mailbox, including my date of birth. In all my years on the Internet, I have never sent my birthday to anyone by email (and I’m not on Facebook and any other such outfit and would never enter my real birthdate even if I was). How could my birthdate just be sitting in a mailbox at a bank?

The letter provides a number to call for questions about the incident. Though it’s not indicated in the letter, that number leads to Kroll Monitoring. I called the number and asked how could my birthdate be in a mailbox when I have never sent by birthdate by email to anyone ever, and certainly not to WealthOne. The person who answered did not know. In fact, she couldn’t answer any of my questions and said she would ask WealthOne to call me back directly.

WealthOne took two months to notify me of this issue and then does not provide any details on why or how could all this information be just sitting in a mailbox. They provide a number to an outfit that has no more information than the letter I received. It’s pretty pathetic. I’m not sure what I can do at this point except hope that a third party won’t be able to access any of my accounts at other banks with the information taken during this incident.

July 16, 2021
1:08 pm
file
Member
Members
Forum Posts: 126
Member Since:
August 1, 2015
sp_UserOfflineSmall Offline

Hrm, it wouldn't surprise me if I've got a letter waiting for me for the same. How long were you a client?

July 16, 2021
1:55 pm
HIS285
Member
Members
Forum Posts: 36
Member Since:
November 29, 2014
sp_UserOfflineSmall Offline

file said
How long were you a client?  

Close to four years.

July 16, 2021
3:14 pm
julio
Member
Members
Forum Posts: 146
Member Since:
November 21, 2015
sp_UserOfflineSmall Offline

I am member with W1B for four years. Everything is hackable. To keep inner peace, I wear the world like a loose garment. Peoples Trust, on their watch hack, offered free some years credit bureau monitoring. I am, to this day, receiving monthly reports. If, in the future W1B offers excellent rates, I'll deposit with them again, up the the coverage limit.
I called W1B and asked for my account number to be changed, which they did.

July 16, 2021
4:06 pm
HIS285
Member
Members
Forum Posts: 36
Member Since:
November 29, 2014
sp_UserOfflineSmall Offline

julio said
Everything is hackable.

I'm sure that's true to an extent.

My main concern is that my personal information was in a mailbox. Why and how? And also: my name and email address in a mailbox? Sure, it's possible (though lousy for a bank) since I sent emails to WealthOne before. But my date of birth? Again: why and how?

July 16, 2021
5:19 pm
pooreva
Member
Banned
Forum Posts: 440
Member Since:
April 2, 2018
sp_UserOfflineSmall Offline

HIS285 said

julio said
Everything is hackable.

I'm sure that's true to an extent.

My main concern is that my personal information was in a mailbox. Why and how? And also: my name and email address in a mailbox? Sure, it's possible (though lousy for a bank) since I sent emails to WealthOne before. But my date of birth? Again: why and how?  

Maybe they did some kind of internal random audit and person was sending your info to higher ups as usually higher ups are way to lazy or ignorant to query databases.

July 16, 2021
5:38 pm
COIN
Member
Members
Forum Posts: 1131
Member Since:
March 15, 2019
sp_UserOfflineSmall Offline

My accounts(s) with Simplii was hacked in 2018. Had to open new accounts with new passwords. An unfortunate fact of life in the 21st century.

July 17, 2021
1:16 pm
toto
Member
Members
Forum Posts: 308
Member Since:
August 17, 2010
sp_UserOfflineSmall Offline

I have Gics with Wealth 1. I like their bank and good rates, i think ill call them on Monday too, just to see my info was compromised. Thanks for heads up

July 17, 2021
4:42 pm
Doug
British Columbia, Canada
Member
Members
Forum Posts: 4285
Member Since:
December 12, 2009
sp_UserOfflineSmall Offline

HIS285 said
Today (July 16) I received a letter from WealthOne dated July 12 saying that there had been an incident that could affect the security of my personal information, including my name, date of birth, email address, address and phone number. I haven’t seen anyone else discuss this recently (though I was told that this affected many clients).

The letter says that on around May 8, 2021 a third party gained access to the email account of a WealthOne employee. It continues “the investigation did reveal that some of your personal information was available in the compromised mailbox… Based on our investigation, the information available in the compromised mailbox includes your name, date of birth, email address and may also include… address, phone number… customer number…and bank account information (…bank account number and account balance).”

What is of greatest concern to me is the fact that all this information was apparently just sitting in a mailbox, including my date of birth. In all my years on the Internet, I have never sent my birthday to anyone by email (and I’m not on Facebook and any other such outfit and would never enter my real birthdate even if I was). How could my birthdate just be sitting in a mailbox at a bank?

The letter provides a number to call for questions about the incident. Though it’s not indicated in the letter, that number leads to Kroll Monitoring. I called the number and asked how could my birthdate be in a mailbox when I have never sent by birthdate by email to anyone ever, and certainly not to WealthOne. The person who answered did not know. In fact, she couldn’t answer any of my questions and said she would ask WealthOne to call me back directly.

That's not possible, actually. If you have an account with WealthOne Bank of Canada, they have your birth date. It's theoretically possible they might not have asked for it at account opening, but it would've been on your credit bureau, so would've added at that point as to not have a birth date on file at a bank, credit union, or money services business would be a serious omission of FINTRAC data retention requirements. It's a legally required bit of information one must provide.

WealthOne took two months to notify me of this issue and then does not provide any details on why or how could all this information be just sitting in a mailbox. They provide a number to an outfit that has no more information than the letter I received. It’s pretty pathetic. I’m not sure what I can do at this point except hope that a third party won’t be able to access any of my accounts at other banks with the information taken during this incident.  

This is anecdotal and there's little context here. I wouldn't worry about it, to be honest.

Cheers,
Doug

July 17, 2021
4:55 pm
HIS285
Member
Members
Forum Posts: 36
Member Since:
November 29, 2014
sp_UserOfflineSmall Offline

Doug said

That's not possible, actually. If you have an account with WealthOne Bank of Canada, they have your birth date. It's theoretically possible they might not have asked for it at account opening, but it would've been on your credit bureau, so would've added at that point as to not have a birth date on file at a bank, credit union, or money services business would be a serious omission of FINTRAC data retention requirements. It's a legally required bit of information one must provide.

I thought my post was pretty clear if not perfectly well written. I know banks have my date of birth on file. However, I would never have imagined that my personal information, including my date of birth, would be sitting in a mailbox at a bank. That is the main issue, for obvious reasons.

July 21, 2021
2:15 pm
Vatox
Member
Members
Forum Posts: 1218
Member Since:
October 29, 2017
sp_UserOfflineSmall Offline

Yes, I too am curious why customer personal info is available in a mailbox. But I also accept that my personal info isn’t exactly secret information to begin with. However, I would expect that FI employees would not load a section of a database of customer info into an email! This isn’t just one or two customers so it’s definitely a database sitting in a mailbox.

July 21, 2021
2:26 pm
HermanH
Member
Members
Forum Posts: 1242
Member Since:
April 14, 2021
sp_UserOfflineSmall Offline

I also called W1 to check on the status of my information and was told that I was unaffected. I asked them to remove any unncessary information from my profile and I think that they removed my SIN, too. I was first told by Canadian Western Bank that my SIN was not mandatory. I was quite surprised to learn of this, since virtually every FI with which I deal seems to demand it.

I have been asking for the removal of all unnecessary information from each FI, whenever I happen to call. Some, like CTire, refuse to remove it and say it is necessary. I did not belabour the point, but I'll keep trying with the others.

If anyone would care to cite the exact wording of SIN non-requirement, that would be much appreciated. 🙂

July 21, 2021
3:51 pm
Lamaison
Member
Members
Forum Posts: 28
Member Since:
August 29, 2019
sp_UserOfflineSmall Offline

I found this quickly on an online legal page:

"You can open a bank account if you don't have a SIN. If you earn interest on money in your account, you will have to submit an income tax return to the Canada Revenue Agency (CRA). The banks will ask you if you have a SIN because they are obliged to report any interest you earn on money in your account to CRA. However, the banks do not need a SIN to report to CRA. The CRA can process your income tax return without a SIN".

July 21, 2021
5:54 pm
Bill
Member
Members
Forum Posts: 4024
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

This week spouse and I each received same letter as HIS285.

July 21, 2021
8:55 pm
toto
Member
Members
Forum Posts: 308
Member Since:
August 17, 2010
sp_UserOfflineSmall Offline

My husband and i both got our letters today.

July 21, 2021
9:07 pm
Norman1
Member
Members
Forum Posts: 7190
Member Since:
April 6, 2013
sp_UserOnlineSmall Online

Lamaison said
I found this quickly on an online legal page:

"You can open a bank account if you don't have a SIN. If you earn interest on money in your account, you will have to submit an income tax return to the Canada Revenue Agency (CRA). The banks will ask you if you have a SIN because they are obliged to report any interest you earn on money in your account to CRA. However, the banks do not need a SIN to report to CRA. The CRA can process your income tax return without a SIN".

That's not true.

According to CRA, if you have a SIN or other tax identification number, you have to provide it if the account generates interest. $100 penalty for each failure to do so:

Failure to provide an identification number

Individuals, trusts, corporations, or partnerships have to give their social insurance number (SIN), trust account number or business number (BN) on request to anyone who has to prepare an information slip for them. A person or partnership that does not do so is liable to a $100 penalty for each failure to comply with this requirement. This penalty does not apply if the person or partnership had applied for, but had not yet received, a SIN, a BN or program account number at the time the return was filed.

A person who does not have an identification number must apply for one within 15 days of the date of an information request. After receiving the identification number, the person has 15 days to provide it to the person who is preparing an information return.

July 22, 2021
10:03 am
Bud
Member
Banned
Forum Posts: 1375
Member Since:
February 20, 2018
sp_UserOfflineSmall Offline

Why does Cra need Sin if they can collect tax without

July 22, 2021
12:01 pm
Bill
Member
Members
Forum Posts: 4024
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

Easier, more efficient for CRA to match tax return (which includes SIN) interest, etc amounts reported with corresponding amount reported under same SIN to CRA by fi.

The letter from Wealth One had a special phone number to call re this incident, I ended up talking to a friendly USA-accent person (security outfit hired by the likes of Wealth One to handle calls re security breaches, it appeared) who really didn't know more than the letter said. I phoned Wealth One and was told there were two levels of risk and because my letter made no reference to my TransUnion credit file then I'm in the lower risk group so no real need to do anything except make sure I don't open any phishing emails posing as Wealth One and change my password more frequently, maybe once a month. I said ok.

Clarification: By higher vs lower risk I meant the amount of personal data that was compromised, some folks had more personal data in the hacked email box than others.

July 23, 2021
7:27 am
lhsaid
Member
Members
Forum Posts: 166
Member Since:
May 22, 2015
sp_UserOfflineSmall Offline

I tried to change my password, surprisingly, they still only support 8 digit (numbers) password !

July 23, 2021
11:32 am
toto
Member
Members
Forum Posts: 308
Member Since:
August 17, 2010
sp_UserOfflineSmall Offline

I called just now and they changed my client number , they said my account numbers , email and address were jeopardized.

No permission to create posts

Please write your comments in the forum.