The worst-case scenario happened for clients of Kaleido (ex-Universitas): their child’s RESP was completely stolen by fraudsters in the last few days. The Autorité des marchés financiers (AMF) says it is “very concerned about the situation” and called for “a specific action plan” from the Quebec company.
Last week, the Registered Education Savings Plan (RESP) specialist disabled its online services following potentially fraudulent activity in its clients’ accounts.
Since then, around 50 people have been informed that “attempts to make unauthorized transactions in their account could have a financial impact”, explained to me the vice-president of marketing and customer experience, Julie Cyr.
It appears that in some cases the attempts in question have achieved their objective.
“It wasn’t just a little computer bug!” commented Linda Charrette, a long-time Kaleido customer. Speaking with the Quebec company on Tuesday morning, she learned that there was no more money in the RESP of her daughter who attends university.
The $10,000 it contained was withdrawn on January 13. The sum was made up of interest and government grants. This is the portion called EAP, for “educational assistance payments”.
“I felt like crying. I asked, ‘What do we do? Usually with banks there is insurance.” They had no information about it. They kept saying it wasn’t their fault. The woman had to tell me. say 25 times. I don’t care, it’s whose fault. I want my money back, “the mother of two grown children told me on the phone. She was obviously upset. We would be less.
The only good news is that her son’s account, who has not yet reached the age to make RESP withdrawals, is intact. The fraudsters, Kaleido told her, provided false proof of enrollment in a study program to get their hands on her daughter’s money. They also changed the bank account number on file to recover the money.
Another mother who does not want to be identified experienced the same thing. Her child’s RESP at university was completely emptied by fraudsters who provided Kaleido with forged proof of education to make withdrawals totaling five figures. This case created a lot of anguish in the family.
A third reader of The Press contacted me after receiving a call from Kaleido. “All available funds from my child’s RESP were disbursed without my knowledge on January 9th. »
To request an RESP withdrawal online, you must access your file with a six-digit identification code provided by Kaleido and a password.
Linda Charrette wonders how the fraudsters could have had access to this code other than by accessing Kaleido’s databases. In its communications, the company claims that the “personal data” used maliciously was obtained “illegally from another source”.
What is even more worrying than the modus operandi of the thieves is the issue of reimbursement of the sums stolen. Linda Charrette swears that she was told nothing to reassure her, despite her specific questions on the subject. We have to call her back in a few days.
Julie Cyr, of Kaleido, says her organization “benefits from the usual protections” for an institution like hers.
But she adds this: “In order not to harm the process, we cannot comment further. Our wish is that this situation has no negative consequences for our customers. We are working closely with our stakeholders to find solutions. »
I’m not sure I would sleep on both ears reading this if I had lost my child’s education savings. Kaleido did not tell me how much money had been stolen in total.
Kaleido is registered with the AMF, but the latter only protects deposits in the event of the bankruptcy of a financial institution. Events are still taken seriously. “We understand the current concern among many underwriters. The AMF has requested a series of information from the company as well as a specific action plan for it to take the appropriate measures to rectify the situation,” spokesperson Sylvain Théberge told me.
The AMF also manages a compensation fund for victims of fraud committed by an employee holding a licence. We will have to wait for the results of the investigation by Kaleido, the Royal Canadian Mounted Police and security experts at KPMG to find out if the victims will be able to make a claim.
On Tuesday, Kaleido reactivated its online services for all its customers whose accounts were not the subject of a “malicious attempt”. The company encourages its customers to change their password and validate the compliance of activities in their account. The level of monitoring of its systems has been increased to detect any unusual activity in real time, assures Mme Cyr, and double authentication should be deployed in 2023.
“According to our external security firm, our security index is above the average of Quebec companies that use a repository for high-maturity companies,” added the Kaleido representative.
If our savings are at risk of being stolen from a company with an above-average security rating, can we still rest easy?