Coinsquare had indications over a year ago that thousands of its customer’s personal data had been breached, but only notified a handful at the time, BetaKit has learned.
Vice was first to report, last week, that hackers had obtained the personal information of more than 5,000 Coinsquare users, including email addresses, phone numbers, physical addresses, and more. The reported hacker told Vice about plans to use the data for SIM swapping attacks.
“There were indications given by this person saying that they had thousands but we had no reason to believe that was true.”
Coinsquare has said the company first found out about “a possible data breach” in early 2019. In emails sent to Coinsquare users last week obtained by BetaKit, the company said the number of Coinsquare users affected at the time was limited to four. Stacey Hoisak, Coinsquare’s general counsel, suggested to Vice that the company was not originally aware of the full extent of the breach.
In a recent interview with BetaKit, Coinsquare CEO Cole Diamond revealed, however, that “the indications given a year ago in terms of the size and scope of the breach, fall in line with what we were able to identify this week, in terms of the ultimate amount of personal information that was let out.”
While Coinsquare notified law enforcement and the Office of the Privacy Commissioner of Canada last year, as it is required to do by law, the cryptocurrency trading platform only contacted the four users whose data it could confirm was breached.
Diamond explained to BetaKit that, in 2019, Coinsquare was contacted by a person who indicated they had obtained the personal data of thousands of Coinsquare users and prospective users. However, the person only provided the names and details of six; four of which were Coinsquare account holders, and two that were prospective users, said Diamond. The CEO said the data breach occurred “roughly 18 months ago.”
At the time, Coinsquare only alerted the four Coinsquare account users whose data the company could confirm was breached.
Under Canada’s federal privacy law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are required to “report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals; [as well as] notify affected individuals about those breaches.”
The act states that companies are only required to report a breach, no matter the size, “if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm” to an individual. Significant harm refers to “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” This also applies to any personal information that has been “transferred to a third party for processing.”
“What I’m trying to explain on that is we have no way of validating it whatsoever,” Diamond told BetaKit, regarding the possibility thousands of users’ data had been breached last year.
“Nobody to contact, nobody that was engaged with us, to tell us, and therefore not much we could do about it, nobody we could communicate with besides from those who we knew were impacted,” the CEO added.
When later confirming that Coinsquare only contacted four users in 2019 about the breach despite knowing there were possibly thousands affected, Diamond said, “No, I didn’t know that there were thousands. I did not say that.”
“I said that there were indications given by this person saying that they had thousands but we had no reason to believe that was true,” he told BetaKit.
Coinsquare has been adamant that the data was not stolen from its platform by a hacker, but was breached by a former employee.
As part of Vice’s investigation, the publication was provided with a version of the data that was stolen. It included over 5,000 rows of users’ email addresses, phone numbers, and, in some cases, physical addresses.
Diamond confirmed to BetaKit that of those rows, 3,900 were actual Coinsquare users, while the other 1,100 were prospective customers. All user information was held in a third-party customer relationship management (CRM) system.
The CEO also confirmed that Coinsquare is confident the recently shared data was the same data that was breached 18 months ago.
“We saw the data, we matched it side by side,” said Diamond, adding, “no users that have come on in the last 18 months are in the list, which points it to the exact time frame as before.”
Following the Vice report, Coinsquare, last week, sent emails to its user base informing them whether or not their personal data was affected by “the breach.” Diamond told BetaKit that Coinsquare sent emails to its entire user base of over 300,000, with another version of the email sent to the 3,900 Coinsquare users informing them their data had been breached.
The CEO did not indicate if the company had reached out to the other 1,100 Coinsquare prospects whose data had also been breached.
Coinsquare has been adamant that the data was not stolen from its platform by a hacker. The startup stated in its emails, “this was not a breach of Coinsquare’s core systems,” adding that no passwords were included in the data that was obtained. Coinsquare has confirmed that the data came from a third-party sales management database that the startup used for “prospecting.”
The Toronto-based trading platform blamed the breach on a former employee, who, the company said was responsible for stealing the data “roughly 18 months ago.”
“The person(s) responsible for the data theft indicated their intent of publishing the data is to “embarrass the company.” Coinsquare takes these types of security threats seriously,” the company wrote in its email to users.
When asked how Coinsquare was sure the data was stolen by a former employee and not through a hack, Diamond told BetaKit, “in theory, it’s possible that our CRM provider was hacked. But I highly, highly doubt it, because they are a very, very large CRM provider and we would have learned about that. So, it really is a process of elimination, somebody trapped this data from the CRM.”
“All we can do is get better, although I would say throughout [Coinsquare’s] history we’ve been exceptional.”
The CEO claimed that an internal investigation took place, but was unable to confirm that the investigation provided evidence that the breach was caused by a former employee rather than a hack.
“There’s no other explanation for how the data could have come out,” Diamond said. “It’s CRM data, where else does CRM data come from except the CRM. Who has access to the CRM? Employees.”
“We’re not blaming the third party. Let me make that incredibly clear,” he added. “But let me also make it incredibly clear that our systems have not been breached. I’m not blaming anybody, I think we need to be responsible for the security of our own users’ data. And ultimately, that responsibility falls with us.”
“All we can do is get better, although I would say throughout [Coinsquare’s] history we’ve been exceptional,” Diamond said. “We’ve never lost our clients’ funds. And I’m sure we’ve been a target for it for over three years now, which is roughly the period of time that we’ve been one of, or the, market leader in Canada.”
In its email to users, Coinsquare noted that since the original “data theft” occurred in 2019, it has replaced its internal sales management systems, re-written data management policies, and enhanced internal controls. The startup added in its email that safety, security, and its users’ right to privacy are Coinsquare’s highest priorities.
“Coinsquare has implemented physical, organizational, contractual, and technological security measures to protect our client’s personal identifiable information from loss or theft, unauthorized access, disclosure, copying, use, or modification,” the company said.
The startup also informed law enforcement and the Office of the Privacy Commissioner of Canada about the thousands of users’ data being breached, following the Vice report.
In its email, Coinsquare encouraged any concerned users to update passwords and personal email addresses. The company also pointed concerned individuals to reach out to their cell phone carrier “to ensure extra measures are put on your mobile account to prevent any potential “SIM swap” attempts.”
Coinsquare also said in its email to users that they are entitled to register a complaint with the Office of the Privacy Commissioner with regard to the breach.
Image source Coinsquare via Glassdoor