Regulator expresses regret over August phishing attack
CIRO confirmed on Wednesday that the data breach it disclosed in August of 2025 impacted 750,000 Canadian investors.
The attack, which CIRO describes as a "sophisticated phishing attack," may have seen a wide array of personal information fall into the attackers' hands. That includes those investors' dates of birth, phone numbers, annual income, social insurance numbers, government issued ID numbers, investment account numbers and account statements, according to a statement from CIRO released on Wednesday.
Because CIRO does not collect login detail such as passwords, security questions, and PINs, the SRO says that none of that information was impacted.
The statement expressed CIRO's deep regret for the incident.
"We are intent on doing right by those who are personally affected," said Andrew Kriegler President and Chief Executive Officer of CIRO. "We take our public interest role very seriously. Matters of privacy and security are extremely important to us, as are our guiding organizational values of transparency and accountability. That's why we remain committed to further strengthening our own cybersecurity defences and data security practices and supporting the ongoing efforts of the broader investment industry."
Since the breach, CIRO has taken steps to contain impacts and strengthen their cybersecurity. Law enforcement was notified and a third-party forensic IT investigator was retained. They have hired external cybersecurity experts who found the exact firms and registered individuals who had been impacted. The statement says that there is currently no evidence that the information was misused. CIRO is also providing two years of credit monitoring and identity theft protection to all impacted investors with the major credit agencies.
