1 billion records could be at risk
A high-profile hacker collective has claimed responsibility for stealing nearly a billion customer records tied to companies using Salesforce’s cloud-based software, a disclosure that has rattled the financial services industry and raised questions about data security across Canada’s wealth management sector.
The group, which calls itself Scattered LAPSUS$ Hunters, unveiled a dark-web site last week designed to pressure companies into paying ransom. On the site, the hackers listed dozens of global corporations across retail, automotive, finance, and insurance, and threatened to publish client data unless settlements are reached.
Salesforce, a dominant player in customer relationship management (CRM) software, pushed back against suggestions that its own systems had been penetrated. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” a spokesperson said.
Why this matters for Canada’s advisors
For Canadian wealth managers, the revelations cut close to the bone. Salesforce has become deeply embedded in the industry, with many registered investment advisors (RIAs) and bank-owned firms deploying Salesforce’s Financial Services Cloud or sector-specific overlays such as Practifi, Salentica Elements, and XLR8 to manage sensitive client data.
Public case studies show U.S. peers like RBC Wealth Management–U.S. and Pacific Life using Salesforce to consolidate banking, investment, and insurance information. North of the border, Canadian institutions with similar integrated platforms may face heightened scrutiny over their reliance on third-party vendors for client record-keeping and compliance functions.
The hack also underscores the evolving nature of cyberattacks. Analysts note that the perpetrators relied on social engineering—impersonating employees over the phone or tricking staff into authorizing malicious software—rather than exploiting a direct flaw in Salesforce’s code. For firms handling high-net-worth client portfolios, that distinction may matter little if personal or financial information is ultimately exposed.
Canadian financial companies using Salesforce
|
Company |
Sector / function |
Evidence / note |
|---|---|---|
|
RBC Wealth Management (Canada / RBC group) |
Wealth / advisory / client operations |
Uses Salesforce Financial Services Cloud to consolidate systems and support advisor workflows. |
|
CIBC (Canadian Imperial Bank of Commerce) |
Commercial / retail banking / customer engagement |
Announced a multi-year agreement selecting Salesforce as its enterprise CRM platform. |
|
Bank of Montreal (BMO) |
Banking / sales automation |
Adopted Salesforce Sales Cloud for sales automation and CRM engagement. |
|
Scotiabank |
Banking |
Listed among Canadian banks deploying Salesforce in CRM systems. |
|
Manulife (Canada) |
Insurance / financial services |
Identified as a Salesforce user within its technology stack. |
|
The Co-operators |
Insurance / financial services |
Reported as using Salesforce Financial Services Cloud for operations. |
|
ATB Financial |
Banking (Alberta) |
Reported adoption of Salesforce Financial Services Cloud. |
Regulatory pressure ahead
The extortionists have gone further, warning that Salesforce could face litigation under Europe’s General Data Protection Regulation (GDPR) and hinting at wider civil action. While Canada’s privacy regime is different, regulators in Ottawa and provincial securities commissions have signalled growing intolerance for lapses in cybersecurity protections, particularly when investor data is at stake.
For independent wealth firms, the attack highlights an uncomfortable reality: outsourcing infrastructure to a global technology provider does not insulate them from reputational or legal risk if a breach occurs. Firms are expected to demonstrate that they have carried out vendor due diligence, imposed contractual safeguards, and implemented client notification protocols.
A second blow: AI vulnerabilities
The revelations arrived just days after Salesforce patched a critical flaw in its Agentforce artificial intelligence platform. That bug, known as “ForcedLeak,” could have allowed attackers to siphon data via prompt injection—malicious instructions hidden in otherwise routine data inputs. While Salesforce says the vulnerability has been resolved, the timing has intensified concern about the risks that AI layers add to core CRM systems.
What comes next
For Canadian financial executives, the incidents will sharpen boardroom discussions about cybersecurity investment. The question is not only whether Salesforce itself remains secure, but also whether firms are prepared to defend against employee-targeted schemes and to reassure clients that sensitive wealth planning data is protected.
