Major data breach touches U.S. robo, but risk ‘extremely low’

By Melissa Shin | February 28, 2017 | Last updated on October 27, 2023
2 min read

Established financial services players are far from immune to cybersecurity threats — witness how the Heartbleed bug took down CRA in 2014, and how IIROC accidentally lost data from 52,000 clients in 2013.

But when a new technology gains momentum — like robo-advice — people will scrutinize any vulnerability.

This became apparent last week, after a data leak affecting more than 3,000 sites, including Uber, FitBit and OKCupid, came to light. Betterment, a U.S. robo-advisor, was on an unofficial list of affected sites compiled on Github.

The data leak came through Cloudflare, a content delivery network used by more than 5.5 million sites. From September 2016 through February 2017, a vulnerability within Cloudflare leaked passwords and authentication tokens from customer websites. The leak was discovered by a Google security researcher on February 17.

Betterment confirmed to Advisor.ca that it uses Cloudflare “to optimize the performance of our applications,” but stressed that Betterment “is confident that customer account information is safe. Additionally, Cloudflare performed its own internal review and determined that Betterment’s data was not included in the information exposed by the vulnerability.”

The firm elaborated on Twitter:

When asked if Betterment would continue to use Cloudflare, a representative responded, “We continually evaluate all of our vendors.”

How Canadian robos protect client data

Invisor, Justwealth, ModernAdvisor, Nest Wealth, Responsive Capital Management, SmartMoney and WealthBar include the question of asset protection in their FAQs; each of these robos state they protect client money by holding it with a third-party custodian, and that they are protected by CIPF insurance (which covers insolvency). Nest Wealth and SmartMoney both say they do not allow custodians to re-hypothecate assets; nor can clients have margin accounts.

WealthBar conspicuously lists its security measures on its website, including SSL encryption and frequent security audits. “It would be very difficult to steal a client’s assets because we only move funds between accounts we have identified are registered to the client,” Chris Nicola, WealthBar’s co-founder and chief technology officer, tells us. “So it wouldn’t be possible to withdraw or transfer funds to another account that did not belong directly to the client.”

Read: How to keep clients’ data safe

In their privacy policies, Invisor, Justwealth, ModernAdvisor and Responsive specifically state that data are encrypted. ModernAdvisor says it uses Amazon Web Services’ secure servers and Responsive says it uses OpenShift. SmartMoney and WealthSimple say their data are password-protected.

Change your passwords

It’s good online hygiene to change your passwords periodically, especially after a breach the size of Cloudflare. Avoid duplicating passwords across sites, and consider using a password manager to generate and store strong passwords. You can also use two-factor authentication for websites that offer it.

Check whether a website could have been affected by the Cloudflare bug using DoesItUseCloudflare.com.

Melissa Shin headshot

Melissa Shin

Melissa is the editorial director of Advisor.ca and leads Newcom Media Inc.’s group of financial publications. She has been with the team since 2011 and been recognized by PMAC and CFA Society Toronto for her reporting. Reach her at mshin@newcom.ca. You may also call or text 416-847-8038 to provide a confidential tip.