The worst-case scenario has occurred for Kaleido (ex-Universitas) customers: their child’s RESP has been completely stolen by scammers in the past few days. The Autorité des Marchés Financiers (AMF) says it is “very concerned about the situation” and called for “a concrete plan of action” from the Quebec company.
Posted at 6:30am
Last week, the Registered Education Savings Plan (RESP) specialist disabled its online services following potentially fraudulent activity in its customers’ accounts.
Since then, around 50 people have been informed that “attempts to make unauthorized transactions on their account could have a financial impact,” vice president of marketing and customer experience Julie Cyr told me.
It seems that the attempts in question have achieved their goal in some cases.
“It wasn’t just a small computer error!” commented Linda Charrette, a longtime Kaleido customer. Speaking to the Quebec company Tuesday morning, she learned there was no money left in her daughter’s RESP, who attends university.
The $10,000 in it was withdrawn on January 13th. The sum consisted of interest and government grants. This is the part called EAP, for Educational Assistance Payments.
“I felt like crying. I asked, “What are we doing? Banks usually have insurance.” They had no information about it. They always said it wasn’t their fault. The woman had to tell me. say back 25 times,” the mother of two grown children told me over the phone. She was visibly upset. We would be less.
The only good news is that her son, who is under RESP withdrawal age, has an intact account. The scammers, Kaleido told her, provided false proof of enrollment in a college course in order to get her daughter’s money. They also changed the bank account number on file to get the money back.
Another mother, who wishes not to be identified, experienced the same thing. Her child’s RESP at university was completely drained by scammers who provided Kaleido with fake educational credentials for five-figure withdrawals. This case caused much sorrow in the family.
A third La Presse reader contacted me after receiving a call from Kaleido. “All available funds from my child’s RESP were paid out on January 9 without my knowledge. »
In order to submit an RESP withdrawal request online, you must access your file using a six-digit identification code and password provided by Kaleido.
Linda Charrette wonders how the scammers got access to this code other than by accessing Kaleido’s databases. In its notices, the company claims that the “personal information” it used maliciously “came illegally from another source.”
Even more worrying than what the thieves are doing is the question of recovering the stolen funds. Linda Charrette swears that despite her specific questions on the subject, she was not told anything to reassure her. We have to call her back in a few days.
Kaleido’s Julie Cyr says her organization “enjoys the usual protections” for an institution like hers.
But she adds: “In order not to damage the process, we cannot comment further. Our wish is that this situation does not have any negative consequences for our customers. We work closely with our stakeholders to find solutions. »
I’m not sure I would sleep on both ears while reading if I lost my child’s education savings. Kaleido didn’t tell me how much money was stolen in total.
Kaleido is registered with the AMF, but the latter only protects deposits in the event of bankruptcy of a financial institution. Events are still taken seriously. “We understand the current concerns of many insurers. The AMF has requested a series of information from the company, as well as a concrete action plan in order to take the appropriate measures to remedy the situation,” spokesman Sylvain Théberge told me.
The AMF also manages a compensation fund for victims of fraud committed by a licensed employee. Kaleido, the Royal Canadian Mounted Police and security experts from KPMG will have to wait and see whether the victims can make claims there.
On Tuesday, Kaleido reactivated its online services for all of its customers whose accounts were not the subject of a “malicious attempt”. The Company encourages its customers to change their password and validate compliance of activity on their account. The level of surveillance on its systems has been increased to detect unusual activity in real time, Ms Cyr assures, and double authentication must be introduced in 2023.
“According to our external security firm, our security index is above the average for Quebec companies using a high-maturity enterprise repository,” added the Kaleido representative.
If our savings could be stolen from a company with an above-average security rating, can we still rest easy?