Canadian Investment Regulatory Organization confirms phishing breach impacted around 750,000 investors and begins notifications with credit monitoring

The Canadian Investment Regulatory Organization (CIRO) published an update confirming that a sophisticated phishing attack, first disclosed in August 2025, resulted in unauthorized access to data relating to approximately 750,000 Canadian investors. CIRO is contacting affected investors and offering two years of credit monitoring and identity theft protection, and reports no current evidence that the information has been misused. Potentially impacted information includes dates of birth, phone numbers, annual income, Social Insurance Numbers, government-issued identification numbers, investment account numbers and account statements. CIRO said it does not collect account login details such as passwords, security questions or PINs, so those were not at risk. The incident was contained and systems secured, with notifications made to law enforcement and relevant authorities including privacy commissioners; a third-party forensic IT investigator and external cybersecurity experts supported a review that took more than 9,000 hours, following earlier findings that registration information for member firms and registered individuals was affected. Notification letters to impacted clients or former clients of CIRO dealer members will be sent starting January 14, 2026, with step-by-step instructions to activate the protection services provided directly. Investors who do not receive a letter but wish to confirm whether they were impacted can submit a written request through CIRO’s website contact form.