Canada Life
One of Canada's largest insurers exposed pension data—SINs, banking details, and retirement account information for plan members.
What happened?
Canada Life, one of Canada's largest insurance and wealth management companies, disclosed a data breach affecting pension plan members and group benefits policyholders. The company administers retirement plans for employers across Canada, holding some of the most sensitive financial data Canadians have—their retirement savings.
What data was actually inside?
Social Insurance Numbers, pension account details, banking information for direct deposits, beneficiary designations, and employment records. Pension data is uniquely sensitive—it's tied to people's entire working lives and their financial security in retirement.
Beneficiary information reveals family relationships. Banking details enable fraud. SINs enable identity theft that can persist for years.
Who gets hurt and how?
Canadian workers whose employers chose Canada Life for their pension and benefits plans. They didn't pick Canada Life—HR did. Now their retirement security data is exposed. Many are approaching retirement age, making them prime targets for fraud schemes targeting seniors.
Pension fraud can redirect retirement payments. SIN theft can result in fraudulent tax filings. The harm compounds over time as attackers use the data.
What did they think they were doing right?
Canada Life is regulated by OSFI (Office of the Superintendent of Financial Institutions) and provincial insurance regulators. They operate under Canadian privacy law (PIPEDA) and provincial requirements. They manage billions in assets and have enterprise security programs expected of a major financial institution.
They had the compliance frameworks. They had the security certifications. The data was still exposed.
What did they not know about their own data?
Canada Life didn't know—or couldn't act on knowing—where all member SINs and banking details were stored across their systems. Pension administration involves multiple systems: enrollment, contributions, investments, distributions, and beneficiary management. Each system touches sensitive data.
The sprawl of pension data across systems and decades of records creates blind spots that attackers can exploit.
What does attribution look like the morning after?
Canada Life had to notify plan sponsors (employers), regulators, and individual plan members. Under Canadian law, they must report to the Privacy Commissioner. Each notification extends the reputational damage and creates potential regulatory consequences.
For pension administrators, trust is the business. Plan sponsors will question whether to continue the relationship—and whether they have exposure for choosing Canada Life.
What would have changed the outcome?
Knowing where SINs and banking data live across all pension systems.
If Canada Life had mapped their sensitive data—every database, every archive, every integration point—they could have prioritized protection and detected anomalies. Pension data should be some of the most protected data in any organization. Instead, they learned their exposure when attackers demonstrated it.
Don't Learn What You Have From an Attacker
Canada Life didn't know what pension data was exposed until it was too late. Risk Finder shows you first.
Start Your Risk Assessment