A January hack into an American file-transfer service has exposed the private data of customers doing business with Canadian financial-services firms, showing how far-reaching a cyberattack on a company that provides basic internet plumbing can be.

Mackenzie Investments, a unit of Power Corporation, is telling some customers that their personal information has been exposed, its vice-president of corporate communications, Nini Krishnappa, said in a statement to The Logic.

“We were made aware that one of Mackenzie Investments’ third-party vendors, InvestorCOM, was compromised due to a cybersecurity incident related to a technology supplier to InvestorCOM, GoAnywhere,” Krishnappa wrote in an email. “After receiving notice from InvestorCOM, we took immediate steps to begin a full forensic investigation. Through our investigation, we recently discovered some personal information of current and some former investors was part of this incident.”

Mackenzie learned of the breach March 28 but only recently discovered some client information—which doesn’t include detailed financial data—was involved, he wrote.

InvestorCOM is a Toronto-based vendor of software for regulatory compliance in the financial sector in the U.S. and Canada.

On InvestorCOM’s website, the company boasts clients such as RBC Global Asset Management, CIBC, TD Bank, BMO, Desjardins, CI Assante Wealth Management, Canada Life, HSBC, Equitable Life of Canada and more.

InvestorCOM’s vice-president of marketing, Karen Makedon, directed The Logic to an online statement it posted after The Logic sent the company questions: “InvestorCOM recently became aware of a cybersecurity incident involving unauthorized access to the company’s systems related to GoAnywhere, the third-party software used for secure data transfers.” 

The statement did not say when exactly InvestorCOM discovered the cybersecurity incident nor did the company answer The Logic’s question regarding when. The statement did say that InvestorCOM immediately engaged a team of external cybersecurity experts to perform a forensic investigation and address the breach. 

Only InvestorCOM’s Secure File Transfer Protocol system was affected, which is hosted on the GoAnywhere application and is now contained, the statement said. 

“Certain information related to a small number of our Canadian clients was impacted by this incident,” the statement added. “We have notified all impacted clients and are working closely with them.”

The cascade began with a January breach of the file-transfer tool GoAnywhere, made by Fortra, a Minneapolis-based provider of a range of data security and digital infrastructure service. Fortra disclosed in early February that GoAnywhere had been hacked, kicking off weeks of reporting about one data breach after another.

Dozens of firms and organizations have been affected, including the City of Toronto, Investissement Québec and Onex. A ransomware group called Clop has claimed responsibility.

Fortra (which renamed itself from HelpSystems last November) reported the results of an investigation on April 17. It said the hackers had found a way to create user accounts for themselves in customers’ systems, allowing them access to those customers’ files.

What Clop got from the hack depended on what the affected customers used GoAnywhere to transfer. Because InvestorCOM used GoAnywhere, some of its clients’ data was involved; what that data was, in turn, depended on the client company’s dealings with InvestorCOM.

“I think it speaks to the complexity of the software supply chains that companies, both small and large, are dealing with today,” said Leigh Honeywell, the Ottawa-based CEO and co-founder of cybersecurity firm Tall Poppy. “One company’s breach may end up being collateral damage for another company’s nation-state-level targeting.”

Tall Poppy specializes in fighting online harassment, but Honeywell has previously worked in cybersecurity for Slack and Microsoft. She compared the GoAnywhere hack to another in January, in which a hacker cracked into the systems of U.S. telco T-Mobile, and from there got into Google’s Fi cellphone service, which uses T-Mobile under its hood.

The Logic requested comment from a number of reported InvestorCOM clients, including RBC Global Asset Management, CIBC Mellon, TD Bank, BMO, Desjardins, CI Assante Wealth Management, Canada Life, HSBC and Equitable Life of Canada. 

CIBC Mellon spokesperson Brent Merriman told The Logic in an email that there’s “nothing to report on our end.”

The firm uses InvestorCOM to support the “digital printing of certain financial-reporting documents published at the fund level,” but it does not share data or records about specific individuals or unitholders with it, he said.  

Desjardins declined to comment, while the rest of those contacted did not respond by deadline. 

After this story was published, Equitable Life spokesperson Patti McKague told The Logic the company is aware of the incident with InvestorCOM, but that “Equitable Life does not provide client information to InvestorCOM and, as a result, we’re not impacted by this.”

Meanwhile, Mackenzie has notified the office of the federal privacy commissioner of the hack. 

“Our office has received a breach report from Mackenzie Financial. We are reviewing the report and will be in communication with the company to obtain more information,” wrote Vito Pilieci, a spokesperson for privacy commissioner Philippe Dufresne, in response to emailed questions from The Logic.

InvestorCOM has not filed a report with the commissioner’s office, Pilieci added, but in general, the federal law on privacy and data protection puts the onus on banks, insurance companies and investment firms—they’re responsible for what happens to any private data they share with vendors, he said.

The federal Liberals’ Bill C-26 would give the government the power to impose cybersecurity obligations on federally regulated companies that operate digital systems it designates as critical infrastructure. Introduced last spring, the bill has completed second reading in the House of Commons, but has not yet been taken up by a committee for detailed scrutiny.

“I think companies who have that specific financial impact, there’s an increased duty of care—or at least, we should as a society be treating them as having an increased duty of care—to be vetting those vendors to be good stewards of people’s data,” Honeywell said.

That can be extremely burdensome, she said; some of the largest companies will have tens of thousands of vendors.

“If you’re taking on the business risk of outsourcing, whatever the business function is that that software accomplishes, you have to understand what the security implications of that are. That is your duty as someone who is procuring software—to understand the security of the software that you’re procuring,” she said.

Editor’s note: This story has been updated to include information that Equitable Life of Canada provided after publication, and to reflect that Mackenzie said after publication that although customer data was exposed, the company has no evidence it was improperly taken. This story was also updated to reflect that Mackenzie uses InvestorCOM’s client communication services, not its software solutions.