Notice of Cybersecurity Incident
Safe Step Walk-In Tub (“Safe Step”) became aware in December 2022 that potential unauthorized intrusions into the email account of a single Safe Step employee may have occurred. We initiated a cybersecurity response, secured the account, and launched an investigation to determine the nature and scope of the incident. Our investigation has confirmed that phishing emails were sent from the compromised account and that the personal information of some of our customers and those of our U.S. affiliate may have been accessed.
We take the privacy and security of our customers’ personal information very seriously and so are providing this notice to explain what happened, the personal information that may have been affected, actions we are taking to help limit any impact, and steps you can take to protect your information and identity. We have also reached out directly by mail or email to all potentially affected customers for whom we were able to locate contact information.
What happened?
On December 12, 2022, Safe Step was alerted to a potential cybersecurity incident. Upon investigating, we determined that potential unauthorized intrusions into the email account of a single Safe Step employee may have occurred. We then initiated a cybersecurity response and launched an investigation to determine the nature and scope of the incident. We also engaged a cybersecurity firm to assist in investigating the incident and identifying any potentially compromised information.
The investigation has determined that one or more unauthorized third parties obtained access to the email account between approximately October 25, 2022 and December 12, 2022. The account was used to send phishing emails on November 8, 2022 and December 8, 9 and 12, 2022. We successfully terminated the unauthorized access on December 12, 2022, and have reported the incident to law enforcement.
What information was involved?
After completing our investigation, analysis and review of the circumstances and data involved in the security incident, we have determined that the communications and documents that were potentially exposed include personal information relating to certain of our customers in Canada and the customers of our U.S. affiliate, Safe Step Walk In Tub, LLC, in the United States. While the exact information potentially affected varies from individual to individual, the kinds of information that may have been affected include name, address, date of birth, email address, government identification numbers (such as social insurance and social security numbers), financial and payment card information, and health-related information.
We have reached out directly by mail or email to all potentially affected individuals for whom we were able to locate contact information; however, we were unable to locate contact information for a small number of such individuals. We encourage customers who wish to confirm whether their personal information may have been affected to call us at 1-800-216-7798, Monday through Friday between 9:00 a.m. and 7:00 p.m. Eastern Time.
It is important to note that our investigation has not revealed the public disclosure of any potentially affected personal information or its use for fraudulent purposes.
What are we doing?
We are taking a number of steps for our customers’ protection. Safeguarding our customers’ information is essential to us, and we will continue to invest in hardening our defences. We have put in place additional security measures to help prevent a similar incident and will utilize the information revealed in the analysis of this incident to further strengthen the security of our network, systems, and information. We will also collaborate fully with any law enforcement investigation into this incident.
What customers can do.
While our investigation has not revealed the public disclosure of any potentially affected personal information or its use for fraudulent purposes, we encourage all of our customers to take the following steps to protect themselves against potential misuse of their information:
- Call us at 1-800-216-7798, Monday through Friday between 9:00 a.m. and 7:00 p.m. Eastern Time, to learn whether your personal information may have been affected by this incident.
- Keep an eye out for phishing emails and other fraudulent communications. Unless you contact us, we will not call or text you asking for personal information regarding this cybersecurity incident. We will also never ask you for your credit card details via email. If you receive such a fraudulent communication from someone impersonating Safe Step, do not click on any links, open any attachments, download any files, or reply to the communication. Instead, please let us know about it using the contact details below.
We are aware that the following phishing emails were sent from the compromised account:
| Date | Subject |
| November 8, 2022 | EMAIL: Mailbox Expiry Warning -Tuesday, November 8, 2022 |
| December 8, 2022 | Payroll Funding |
| December 9, 2022 | Payroll Funding 12/9/2022, Payroll Funding 12/12/2022 |
| December 12, 2022 | Payroll Disbursement 12/12/2022 |
If you received these emails, you should not click any links or open any attachments and should delete the emails immediately.
- Periodically order a copy of your credit report from both of the major credit reporting agencies free of charge. Once you receive your reports, review them for suspicious activity and notify the credit agencies if any information is incorrect.
In Canada, you can obtain your report from TransUnion here or by calling 1-800-663-9980. You can obtain your report from Equifax here or by calling 1-800-465-7166.
In the United States, you may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting agencies. To order your annual free credit report, please visit www.annualcreditreport.com, call 1-877-322-8228, or complete an Annual Credit Report Request Form and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can access the request form here.
- Report fraud and identity theft. Report fraudulent activity or suspected identity theft to local law enforcement.
- Regularly monitor your bank and credit card accounts and review your account statements for suspicious activity. If you detect any suspicious activity on an account, contact your issuing bank immediately. Likewise, monitor your other online accounts for unusual or suspicious activity that you do not recognize and contact the relevant company immediately if you spot any such activity.
- Monitor your mail for any change or disruptions. Report any irregularities in your mail delivery to Canada Post or the U.S. Postal Inspection Service.
- Consult additional resources. Consult the Government of Canada’s Get Cyber Safe website, the Canadian Anti-Fraud Centre, and the S. Federal Trade Commission to inform yourself further about cybersecurity and steps you can take to protect yourself online.
How to get in touch with us.
The security of our customers’ personal information is of paramount importance to us. We deeply regret that this incident occurred and apologize for any inconvenience it is causing.
If you have any questions, please call us at 1-800-216-7798, Monday through Friday between 9:00 a.m. and 7:00 p.m. Eastern Time, or email us at inquiries@safesteptub.com.
Sincerely,
Sébastien Laforge
President
Wolseley Canada Inc., operating as Safe Step Walk-In Tub
FREQUENTLY ASKED QUESTIONS
We realize that a cybersecurity incident of this nature may cause you concern. The following FAQs are provided to assist you in understanding the incident and to answer questions you may have.