Regulatory Organisation data breach exposed the sensitive data of 750,000 Canadian investors

The Canadian Investment Regulatory Organisation data breach exposed the sensitive data of 750,000 Canadian investors

• https://www.ciro.ca/newsroom/publications/canadian-investment-regulatory-organization-update-regarding-unauthorized-access-some-canadian

The Canadian Investment Regulatory Organisation (CIRO) has confirmed that approximately 750,000 Canadian investors have been affected by a sophisticated phishing attack initially disclosed in August 2025.

The confirmation comes after nine months of forensic investigation and over 9,000 hours of examination by third-party cybersecurity experts and forensic investigators.

The breach exposed sensitive personal and financial information, including dates of birth, phone numbers, annual income, social insurance numbers, government-issued ID numbers, investment account numbers, and account statements.

CIRO emphasised that authentication credentials, such as passwords, security questions, and personal identification numbers (PINs), were not compromised, as the organisation does not collect or store such information in its systems.

CIRO stated that it quickly contained the incident and implemented immediate security measures to secure its systems.

The organisation notified law enforcement, privacy commissioners, and all relevant regulatory authorities upon discovering the breach.

A leading third-party forensic IT investigator was retained to determine the scope and nature of compromised data.

The preliminary investigation revealed that registration information for member firms and registered individuals had been compromised.

CIRO disclosed these findings publicly and directly notified affected members and registrants, and committed to sharing the final results once the e-discovery process concluded.

Protective Measures and Monitoring

Currently, there is no evidence that the exposed information has been misused. CIRO continues active monitoring for malicious activity and has not identified any threat indicators or data exposure on the dark web.

As a precautionary measure, the organisation is providing affected Canadian investors with complimentary credit monitoring and identity theft protection services for 2 years through major credit agencies.

Affected individuals will receive detailed instructions for activating protection services directly from CIRO. The organisation began notification communications on January 14, 2026.

Only some clients and former clients of CIRO dealer members were affected by the cybersecurity incident.

Individuals who did not receive a notification letter but wish to confirm their impact status can request verification through CIRO’s website by submitting a written inquiry using the contact form in the cyber incident section.

Andrew Kriegler, CIRO’s President and Chief Executive Officer, stated: “We are intent on doing right by those who are personally affected.

Matters of privacy and security are significant to us, as are our guiding organisational values of transparency and accountability.”

CIRO remains committed to strengthening its cybersecurity defences and supporting the broader investment industry’s security efforts. Additional information regarding the incident is available on CIRO’s official website.

Source

https://cyberpress.org/ciro-confirms-data-breach/