At the start of the semester in CEGEPs and universities, parents who wish to tap into an RESP at Kaleido (formerly Universitas) will have to wait. The company’s online services have been disabled for a few days due to security concerns. No reinstatement date has been announced.
When Steve wanted to withdraw funds from the Registered Education Savings Plan (RESP) of his son who is attending CEGEP, he discovered that the Kaleido site was no longer working. Like the other customers, he received a brief email explaining this last week.
“On January 18, our security experts detected attempted fraudulent transactions in the online accounts of certain customers using the Customer Space. As a precaution, we immediately interrupted our online services, launched an investigation and alerted the authorities,” reads the communication signed by the president and chief executive officer, Isabelle Grenier.
“Malicious attempts” were reportedly made using “illegally acquired” personal information. “These do not come from our databases,” adds Kaleido, promising to continue to inform its customers. So far, however, it is radio silence.
For Steve, the wait is not a problem, because he has the means to help his son while he waits to be able to draw on the RESP. But other parents certainly rely on this savings account to pay some bills related to the studies of their offspring. After all, that is precisely what it is for!
This case, which has made no noise so far, raises questions and some anxiety among other customers.
Sophie, who is still contributing to her daughters’ RESPs, describes the message received from Kaleido as “not at all reassuring”. So she looked for additional information on the internet, but found nothing. ” It is Monday. I received the message last week. It’s been five days. I find that worrying. As much for my money as my personal information. »
In fact, since very little is known about what happened, there is cause for concern. Have any accounts been emptied? Could fraudsters steal government grants? If so, I dare not imagine the worries to recover the evaporated sums.
Did fraudsters steal Social Insurance Numbers (SINs)? The question arises, since Kaleido’s customer records contain this information.
Unfortunately, we will have to wait for answers.
Of course, I tried to find out a little more, but the person in charge of responding to the media did not call me back. Instead, she forwarded me the email sent to customers. Like Steve, I tried to reach customer service, but they weren’t responding.
Maybe they are inundated with calls, and we would have ended up picking up after hours of waiting. But no one has so much time to waste. And when you’re worried about your money or want access to it, you want answers fast. With the number of stories of fraud that we hear, emptied accounts and identity thefts that cause all kinds of problems, it is natural to want to understand what is going on.
The vice-president of marketing and customer experience, Julie Cyr, wrote to me at the beginning of the evening so that I could send her my questions by email. The answers will undoubtedly come this Tuesday.
The Financial Markets Authority knows that the Kaleido site no longer works. But she, too, had little to say on the subject.
Since Kaleido is registered with the AMF as a scholarship plan dealer and investment fund manager, it did notify us of the situation. All we can say at this time is that we are in contact with Kaleido and are monitoring the situation closely.
Sylvain Théberge, spokesperson for the Autorité des marchés financiers
According to computer security expert and Hackfest.ca co-founder Patrick Mathieu, Kaleido does not appear to be a victim of ransomware. Instead, the message to customers suggests that this is a classic case of fraudsters trying to break into customer accounts with passwords used on other sites or popular passwords like 123456, qwerty or abc123.
“Companies that have sensitive customer data need to put more security in place. Their authentication system was not strong enough. It’s a standard problem. We are a little behind in Quebec,” says Patrick Mathieu. At a minimum, you need two identification factors (sending a code by email or text message) and passwords of 16 to 18 characters, adds the expert. Of course, it is then necessary to acquire software to manage all that, but that is another story.
Coming back to Kaleido, we can only hope for an update on the situation very quickly, and an outcome of the “more fear than harm” type.