Make the Switch
See how your benefits stack up. Get your free audit →
book a call

Blog

Stay on top of insurance and benefits news

Schedule a Call

The Canada Life Breach And The Data The Headlines Overlooked

When Canada Life disclosed its cyber incident this spring, I paid close attention, and not only as an advisor. My own information was caught up in it. It was initially reported that the incident exposed the personal information of up to 70,000 people, most of them employees of a single large corporate client, however, Insurance Business Canada reported in June, the group behind the breach has now listed more than 5.5 million records for sale on a criminal forum — a figure Canada Life has not verified, and one analysts caution is likely overstated to pressure a ransom.

What Canada Life has confirmed

Canada Life has said that the criminal group ShinyHunters gained access through a single employee account and used it to query data held in the company’s Salesforce CRM. The company has described the incident as contained, said it has notified the individuals it identified as affected, and offered them free credit monitoring. According to the insurer and subsequent reporting, the data accessed included names, dates of birth, mailing addresses, gender, and annual income, and did not extend to social insurance numbers, banking details or medical records.

The roughly 70,000 is Canada Life’s verified count of individuals whose data it confirmed was accessed. The dataset the attackers published, since indexed by Have I Been Pwned, holds more than 200,000 unique email addresses. ShinyHunters itself claimed to have reached as many as 5.6 million records, a figure Canada Life has not verified and one I would treat as the attacker’s assertion rather than a confirmed total. For a plan sponsor, the distance between the confirmed count and the volume of data actually in circulation is the first reason to read the official summary as a starting point rather than a complete account.

The data that actually surfaced

The records I saw directly did not match that description. In those cases the exposed data contained no dates of birth. It contained names, salutations, job titles, email addresses, phone numbers, mailing addresses and records of recent support interactions with the insurer. The published dataset indexed by Have I Been Pwned describes much the same contents, listing names, phone numbers, addresses and, in some cases, support tickets, which matches what I saw.

Below is one of the messages I’ve received since the breach — a fake Canada Life “signature required” notice designed to feel both routine and urgent. I’ve received it twice, and I know other advisors who have seen it several times over.

One of the messages I received impersonates Canada Life, invents a signing deadline, and threatens to place a hold on the policy if I don’t act.

The footer is where it falls apart: a mismatched recipient, an unsubscribe line in Spanish, and a sender with no connection to Canada Life.

A phishing problem, not a credit problem

The protection Canada Life offered does not line up with the risk this particular data creates. Affected individuals were given free credit monitoring, which is designed to flag new accounts opened in someone’s name. It does little about phishing, which is the more immediate danger when the exposed information is contact and support data rather than financial data. A name, an employer, a job title and the subject of a recent support request give an attacker enough to send a message that reads like a genuine follow-up from the insurer or the employer. 

For a plan sponsor, that shifts the real exposure away from a fraudulent credit application some months from now and toward a convincing email reaching an employee in the near term. Canada Life made a version of this point itself when it warned its stakeholders to be alert to phishing and other malicious messages following the incident, and benefits specialists told Benefits and Pensions Monitor that credit monitoring is only a partial response to a breach of this kind.

The footprint was wider than one roster

The exposure also reached beyond the single client whose employees made up most of the affected count. Canada Life’s own guidance acknowledged that the people connected to the incident extended past customers to include employees, plan sponsors and advisors. I can confirm that from my own experience, because my information was among the data exposed, as was that of several plan administrators I work with and, in at least one case, a plan member who held no administrative role at all. That breadth matters, because it means a plan sponsor cannot assume the carrier’s summary accounts for everyone in their own organization who was affected. The only reliable way to know who was caught up in an incident like this is to confirm it directly, rather than to rely on the headline figure or the broad categories a carrier uses to describe who was notified.

What plan sponsors should actually do

If your people were affected, the right response is more specific than either raising an alarm or relying on the carrier’s standard remediation. 

  • The first thing I would do is treat the carrier’s notice as a floor rather than a complete account. That means asking employees directly whether they received a notification from Canada Life, and having your advisor press the insurer for detail on who within the plan was affected and what was exposed, on the understanding that the answer can differ from one person to the next. Employees can also confirm their own exposure at no cost by checking their email addresses against the published data on a free service such as Have I Been Pwned
  • The second step is to tell affected employees plainly that the more immediate risk is a convincing email rather than a fraudulent credit application, so that they know what to watch for in the weeks ahead. 
  • The third is to put a simple verification rule in place and hold to it, so that no change to payroll, banking or benefits is ever actioned on the basis of an email alone, no matter how legitimate that email appears.

None of this is the kind of guidance that arrives in a portal notification. Pressing the carrier for specifics, translating a general notice into action for a particular plan, and making sure the response fits the people who were actually affected is the work I do for clients, and it is what separates a client who has simply received a notice from one who understands what that notice means for their organization.

Reading what the disclosure leaves out

Carriers will continue to be targeted, because the data held in a benefits file has become valuable identity data in its own right. When the next incident is disclosed, the notice will likely read much as this one did, with assurances that the breach is contained and that those affected have been notified and offered protection. The useful work begins after that notice arrives, and in my experience it lies in understanding what the disclosure does not spell out and making sure the response matches the risk your employees actually face.