Canadians have once again become the victims of cybercriminals after insurance company Canada Life had its IT system breached this month and customer data stolen.
Canada Life provided few details about the cybersecurity incident.
It said in an April 20 news release that the “unfortunate” event involved “unauthorized access to certain applications through an employee account” and that the company launched an immediate investigation.
“Our primary focus is the protection and care of our customers, advisors, and employees,” said the company. “While we are finalizing a thorough analysis to understand the exact nature and full scope of impact, we have begun communicating with our customers.”
Individuals whose personal information was accessed will be contacted and offered credit-monitoring protection, it added.
Canada Life was founded in 1847 as the Canada Life Assurance Company. It provides personal health insurance for medical services such as physiotherapy and psychology, dental insurance, life insurance, retirement planning and insurance for businesses and their employees.
Other media reports said hackers known as ShinyHunters stole the data of about 70,000 Canadians from Canada Life.
Bill Buckels, a retired systems analyst, software engineer and wealth systems manager who lives in the Interlake, said the Canada Life cyber attack represents an ongoing failure of companies to protect clients’ data.
“Well, of course, Canada Life was hacked,” said Buckels. “This is another good case for not storing customer information where it can be accessed through the Internet.”
He said he’s not surprised the company’s IT system was breached as the ironclad security protocols he worked with back in his day are just not being implemented now because of convenience. That’s why the news is full of stories about companies being hacked and client data stolen.
Strong protocols from 35 or 40 years ago still exist and can be built into today’s IT systems, he said. Those security protocols include “data or information hiding” whereby individual clients are linked only to a “generic tag” such as a customer ID or a transaction number, with none of their personal data attached, as well as not allowing the transmission of sensitive data from a company’s server over the Internet.
“Canada Life should have had information hiding. In the 1980s and 1990s, this was a tenet of computer privacy, and we didn’t have this hacking problem back then,” said Buckels, who worked in the financial sector for companies such as RBC Dominion Securities and for stock exchanges and international banking systems. “If you’re going to leave the door open, the criminals are going to come in and steal everything.”
According to his research, Buckels said the stolen Canada Life data included names, contact details, and possibly financial and health insurance data.
Hackers accessed the system via a single employee’s account. Buckels said it could have been a phishing email that the employee opened or the hackers could have obtained a previously hacked password that the employee was using for other applications, and the hackers tried it out and were able to access Canada Life client data stored on the Cloud. In this way, the hackers didn’t have to “break in through a firewall; they just walked in the front door.”
“If the employees have access to client information through the Internet, then you as the company have compromised your own system, and you’re to blame,” said Buckels. “Under what circumstances does an employee need to have access to more than one customer at a time? If they choose to, Canada Life can have a ‘closed’ system for employees that won’t compromise the data of thousands and thousands of clients.”
Cybercriminals not only sell personal data on the dark web to other criminals, but they’ll also sit on it for years. For example, if they can’t read encrypted data they’ve stolen, Buckels said they’ll store it for years until new technology is developed to “crack” older encryption standards.
“The Canada Life data is obviously going to be set aside and could be frozen until thawed in five years’ time or more,” he said.
That’s why a hacked company saying there’s “no evidence client data is being shared on the dark web” or offering its clients free time-limited credit-monitoring services is virtually meaningless. It does nothing to protect victims whose data was hacked.
“Canada Life is giving a credit check for a year or two as compensation to the victims. But it’s clear that these are really stupid people when it comes to protecting data and they should be punished like criminals to teach them a lesson,” said Buckels. “The company needs to pay when that data eventually gets used and the damage occurs, whether that’s tomorrow or a decade or more from now. Canada Life is effectively an accessory to this breach and it should be liable to the same penalties given to hackers – who may never be caught.”
He underscored that fact that when IT systems are not exposed to the Internet, data cannot be stolen. Thieves would have to physically steal a server containing data by dynamiting brick and mortar to get to it.
What Canada Life and other companies with weak IT protocols need to do now is “remove client data from the Internet altogether,” he said.
The Canadian Investment Regulatory Organization (CIRO) experienced a major cybersecurity breach in 2025 that affected about 750,000 Canadian investors, including those in the Interlake. Hackers stole personal and financial data (including birthdates, SIN, bank account numbers and eye colour) after they accessed CIRO’s IT system. Interlakers just found out in March their data was stolen. A class-action lawsuit has been launched (see Feb. 5 online edition of the Express Weekly News).
