Canadian Investment Regulator Confirms Data Breach Affecting 750,000 Investors

The Canadian Investment Regulatory Organization (CIRO) has confirmed that approximately 750,000 investors were impacted by a data breach following a phishing attack detected in August 2025.

CIRO, which oversees all investment and mutual fund dealers in Canada alongside trading activity on the country's debt and equity markets, disclosed the scale of the breach after more than 9,000 hours of forensic investigation.

What Was Exposed

The following personal information may have been compromised:

• Dates of birth
• Phone numbers
• Annual income
• Social Insurance Numbers (SINs)
• Government-issued ID numbers
• Investment account numbers
• Account statements

Login credentials were not affected.

Response

CIRO stated there is currently no evidence the stolen data has been misused.

"We continue to monitor for malicious activity and have not identified any threat activity or exposure on the dark web," the organization said.

Affected investors are being offered two years of credit monitoring and identity theft protection through both major credit agencies.

"We are intent on doing right by those who are personally affected," said CIRO CEO Andrew Kriegler. "Matters of privacy and security are extremely important to us, as are our guiding organizational values of transparency and accountability."

Why This Matters

The breach exposes highly sensitive financial data for three-quarters of a million Canadian investors. Social Insurance Numbers combined with investment account details and income information create significant identity theft and fraud risk.

The incident highlights phishing as a persistent threat vector, even for organizations overseeing critical financial infrastructure.