As the CEO of Coinsquare, I would like to provide you with a formal response to the recent news about a data breach of personal information contained within approximately 5,000 records of customer relationship management (CRM) data.
Our goal is to be as transparent as possible and echo the communications sent to our customers, and address questions raised on social media, customer support inquiries, and beyond.
We have done our best to provide as much information as possible across the following topics:
- Data Breach Backstory
- The VICE Article
- Coinsquare’s Retrospective
- The Facts of Those Impacted
- Coinsquare Does Not Offer SMS 2FA
- Communication to Impacted People
Data Breach Backstory
The issue started just over a year ago with someone posting a very small sample of data on Reddit claiming someone had access to Coinsquare user data; the claim was that they had access to around 50,000 users’ personal information. At the time, we could not confirm that this was anything more than a threat. Coinsquare could not validate that the malicious actor had more than a small sample of sales/prospecting data. Coinsquare used the obtained information to notify those users whose names were supplied. Coinsquare did take steps, as required by law, to inform law enforcement and the Office of the Privacy Commissioner about the Reddit forum, and the leak of data, based on the available information.
Based on the format of the data posted, it was evident that there was no breach of Coinsquare’s core software system, i.e. the Coinsquare exchange platform. The field names, the way the information was compiled, and the inconsistencies in the data led us to believe that perhaps there was a theft from a customer relationship management (CRM) tool used to prospect both users and non-users to use Coinsquare Wealth.
Additionally, the malicious actor did not approach Coinsquare asking for money or threaten us directly. Coinsquare saw no subsequent unusual activity on the platform, or with specific sets of users, that would have led us to believe that there was a data breach that would constitute a risk of harm to our users.
With the information provided at the time, Coinsquare felt confident that the malicious actor was not a hacker, but was most likely an ex-employee that got their hands on customer relationship management data and was trying to embarrass the company.
Nevertheless, Coinsquare strengthened our internal processes, updated our sales management software including our internal data policy controls, and used this event as a way to improve our internal practices and systems.
The Vice Article
Fast forward to May 29, 2020. Coinsquare was approached by a VICE reporter who informed the company that a ‘hacker’ had contacted them and provided a larger sample of data to VICE. VICE then graciously provided a portion of the data to Coinsquare, which allowed us to verify that the extent of the original threat was larger. Once Coinsquare received the full list of information, we were able to confirm that this came from the same source of data from just over a year ago.
At that point (June 3rd, 2020), Coinsquare began to take steps to inform all users about the incident. We immediately began preparing and then communicating about the data breach with all our users, both affected and not affected, as well as those prospects (non-users) who were on the list.
The list touches a number of different categories that we have spent time crafting accurate communications towards: those who have been affected and are users; those who have been affected and are not users (because it was prospecting data); and those who are not affected. Additionally, we have taken precautionary measures: applying “no withdrawal” restrictions to impacted accounts (whether they have 2FA or not) and working on updating our customer support policies and communications.
Coinsquare is aware that this issue could have been handled better on Reddit when it first came up. We had only a very small amount of information at that time and could not validate the extent of the theft. The facts in our possession at that time amounted to 4 users, with a claim that they had additional pieces of personal information on both existing and prospective users. We could not confirm that claim.
We had to balance this claim against the facts in our possession. Coinsquare could not verify at the time who the possible reported users might be out of our 290,000 person user base. We had to weigh that against the possibility that this was simply a fabricated threat designed to harm our reputation. In the subsequent weeks and months following this threat, Coinsquare experienced no unusual account activity. In short, there were no red flags or spikes in compromised accounts that would lead us to believe specific users were being targeted by a hacker or malicious actor.
After recently being provided with the list of impacted persons, Coinsquare was able to use the list to confirm where the user data came from (our old CRM tool), and use the list to figure out which users were affected, which non-users were affected, and which users were not affected.
The Facts of those Impacted
- 286,828 users had NO information leaked.
- 3,453 Coinsquare users did have some form of “Personally Identifiable Information” (PII) leaked – because the information comes from a CRM tool, there is inconsistency in the data by each user. The information ranges from just names, emails, and phone numbers to in very few cases there is an address (9 addresses to be exact).
- 1,137 non-Coinsquare users had some information leaked – again, this confirms to us, in addition to the layout of the data and the column headings, that this is information from a CRM tool.
These numbers differ slightly from our first posts on the subject. As we continue to do detailed analysis of the real impact, our numbers are becoming more refined.
Coinsquare Does Not Offer SMS 2FA
Coinsquare does not offer SMS 2FA. In SMS authentication, users provide a code that has to be sent to their phone via SMS as proof of their identity. In theory, SMS authentication provides a second identity factor, but it has vulnerabilities specifically in the case of sim swaps.
Although Coinsquare does not offer SMS 2FA, affected users may be using SMS 2FA on other applications. We have informed them that they should be taking necessary precautions as described in the email communications we have provided links to below.
Communication to Impacted People
Coinsquare has put together a series of emails that have been sent to all users and non-users who were impacted by this data breach. The emails are available for viewing below.
- Impacted Users: those who have a Coinsquare account and were on the list
- Impacted Non Users: those who do NOT have a Coinsquare account but were on the list
- Non Impacted Users: those who have a Coinsquare account but were NOT not on the list.
We have sent more than 290,000 emails out over the last few days and will continue to make sure we contact everyone who we may find has been impacted as we continue to analyze the data.
Coinsquare hopes that this response helps to provide further clarity to those who want, and frankly deserve to hear the truth. We are incredibly appreciative that the r/BitcoinCA Reddit community held us accountable, and are thankful to the r/BitcoinCA mod who contacted us in order to ensure we showed proper accountability to our users and affect non-users alike.
We continue to investigate the original source of the leak of data. We take all claims of a breach of data very seriously and are working closely with the Office of the Privacy Commissioner and the RCMP to make sure we are doing all we can to safeguard private information and to identify any deliberate efforts to harm our customers, members of the public and our company.
If you do have more questions or concerns please feel free submit a support ticket here. We will answer any question we can. Please understand that we cannot answer questions about other people’s accounts.
CEO of Coinsquare
Please note that under the Personal Information Protection and Electronic Documents Act (PIPEDA) you are entitled to register a complaint with the Office of the Privacy Commissioner of Canada with regard to this breach. Complaints may be forwarded to the following:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Refer to this website for further information on how to file a complaint: https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/file-a-complaint-about-a-business