The Canadian Investment Regulatory Organization (CIRO) confirmed that the data breach it suffered last year impacts about 750,000 Canadian investors.
The organization disclosed the incident on August 18, but completed an extensive forensic investigation this year, on January 14.
CIRO is Canada’s national self-regulatory body for investment dealers, mutual fund dealers, and trading activity. It was formed in 2023 and is currently one of the core pillars of the country’s financial regulatory framework.
Last summer, CIRO announced that it identified on August 11 a cybersecurity threat on its systems and responded by shutting down certain non-critical systems while launching an investigation.
Preliminary results showed that some personal information of member firms and their registered employees had been exfiltrated, but the full scope of the incident would take more time to appreciate.
In an announcement earlier this week, CIRO informed that the incident impacted approximately 750,000 investors in the country, which corresponds to a portion of CIRO’s current and former members. The compromised data varies per individual, and may include:
Dates of birth
Phone numbers
Annual income
Social insurance numbers
Government-issued ID numbers
Investment account numbers
Account statements
CIRO emphasized that login credentials or account security questions have not been affected because it does not store such information on its systems.
The organization notes that it spent over 9,000 hours investigating the incident and found no evidence that the stolen data has been misused or published on the dark web.
However, to help mitigate the risks, CIRO will be providing all affected investors with a free-of-charge two-year credit monitoring and identity theft protection service.
Those confirmed to have been impacted will receive direct communication with instructions on how to enroll in the service. Those who don’t receive a notice may contact CIRO directly to confirm the impact.
The CIRO data breach was one of the worst cybersecurity incidents in Canada last year, alongside similar incidents at Nova Scotia Power, the House of Commons, WestJet, Toys “R” Us, and Freedom Mobile.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
