Cyber Incident Victim: Canadian Tire

On October 2, 2025, Canadian Tire discovered unauthorized access to an e-commerce database that stored information for customers who hold accounts with Canadian Tire, SportChek, Mark’s/L’Équipeur and Party City. The company stated that the database contained names, email addresses, dates of birth, encrypted passwords and, in some cases, incomplete credit card numbers. Canadian Tire noted that fewer than 150,000 of the affected accounts included date of birth details. The retailer emphasized that the password and credit card information could not be used to access users’ accounts or to conduct fraudulent transactions and that no Canadian Tire Bank data or Triangle Rewards loyalty information was compromised in the incident.

Canadian Tire reported that more than 38 million accounts were impacted by the breach. This week, the data set associated with the incident was added to the Have I Been Pwned breach notification site, which indicated that roughly 42 million records were compromised, including 38.3 million email addresses. Have I Been Pwned further noted that the leaked data also contained addresses, phone numbers and gender information, and that passwords were stored as PBKDF2 hashes. For a subset of records, the breach exposed dates of birth along with partial credit card data such as card type, expiry date and a masked card number.

In response to the discovery, Canadian Tire notified the affected individuals by email but has not publicly confirmed the exact number of victims. The company reiterated that the breach did not involve any Canadian Tire Bank information or Triangle Rewards loyalty data. No further details about the attack vector, threat actor identity or remediation timeline were provided in the statements.