The Canadian Investment Regulatory Organization (CIRO) this week revealed that hackers compromised the personal information of 750,000 individuals in an August 2025 cyberattack.
The data breach, CIRO says, was the result of a sophisticated phishing attack, and resulted in some systems being shut down. The incident did not impact the organization’s critical functions.
“We are confident that the incident is contained and that there is no active threat in ClRO’s environment,” the organization says.
CIRO disclosed the incident on August 18, saying that its preliminary investigation determined that “some personal information of member firms and their registered employees was affected”.
Now, the investment watchdog says the compromised personal information includes annual income, dates of birth, government-issued ID numbers, phone numbers, investment account numbers, social insurance numbers, and account statements.
“CIRO received this information in the normal course of carrying out its regulatory mandate to protect investors from improper investment conduct and practices, and through its investigative, compliance assessment and market regulation work,” the organization says.
No passwords, PINs, or security questions were affected, as CIRO does not store such information.
The organization says it has no evidence that the compromised data has been misused, and that it has not identified threat activity or exposure on the dark web.
However, CIRO continues to monitor for malicious activity and is providing the impacted individuals with two years of free credit monitoring and identity theft protection services.
The organization started sending notification letters to the impacted clients and former clients of CIRO dealer members. It also published an FAQ page with additional information.
CIRO is a pan-Canadian self-regulatory body that provides oversight of the business conduct of investment and mutual fund dealers in Canada.
Related: Central Maine Healthcare Data Breach Impacts 145,000 Individuals
Related: Traveler Information Stolen in Eurail Data Breach
