The Canadian Investment Regulatory Organization (CIRO) has confirmed that a sophisticated phishing attack disclosed last August resulted in the unauthorized access of personal information belonging to approximately 750,000 Canadian investors.
CIRO revealed that the incident stemmed from a phishing campaign identified in August 2025, which prompted an immediate investigation and system shutdown. After months of forensic analysis, including over 9,000 hours of e-discovery work by third-party cybersecurity experts, CIRO now confirms that sensitive data tied to a large number of individuals was compromised.
The breach was initially disclosed on August 18, 2025, when CIRO announced it had detected a cybersecurity threat a week earlier and took precautionary measures by shutting down parts of its systems. At the time, preliminary findings indicated that registration data related to CIRO member firms and their employees had been accessed. However, CIRO also warned that investor data might have been affected depending on the results of the ongoing investigation. That suspicion has now been confirmed.
The impacted data includes:
- names,
- dates of birth,
- phone numbers,
- annual income,
- social insurance numbers (SINs),
- government-issued ID numbers,
- investment account numbers,
- and account statements.
CIRO clarified that account login credentials such as passwords, PINs, or security questions were not collected by the organization and were therefore not at risk in this incident.
CIRO, formed through the consolidation of Canada’s investment regulatory bodies, is the national self-regulatory organization overseeing investment dealers, mutual fund dealers, and trading activity across Canadian debt and equity markets. Its mandate includes monitoring compliance among member firms, conducting market surveillance, and protecting investors from improper conduct. The personal data exposed in this breach was collected through those regulatory and investigative functions, meaning only clients or former clients of CIRO member firms were affected.
President and CEO Andrew Kriegler expressed regret over the incident and reaffirmed CIRO’s commitment to transparency, accountability, and security. The organization has begun notifying affected individuals via mail, starting January 14, 2026, and is offering two years of credit monitoring and identity theft protection through both major Canadian credit agencies.
CIRO emphasized that there is currently no evidence that the stolen information has been misused. The organization is continuing to monitor for malicious activity and reports that no data has surfaced on the dark web.
Affected individuals are encouraged to follow the activation steps for credit monitoring as outlined in the notification letters. Those who have not received a letter but suspect they may be affected can submit a written request through CIRO’s website to verify their status.
Leave a Reply