Cyber Incident Victim: Canadian Investment Regulatory Organization
Date:
Aug 2025
Location:
Canada
Summary
The Canadian Investment Regulatory Organization disclosed that a sophisticated phishing attack compromised the personal information of approximately 750,000 individuals, including annual income, dates of birth, government‑issued ID numbers, phone numbers, investment account numbers, social insurance numbers and account statements. The breach led to some systems being shut down but did not affect critical functions, and the organization said no passwords, PINs or security questions were stored or exposed. It stated there is no evidence of misuse of the data and is providing affected individuals with two years of free credit monitoring and identity‑theft protection while continuing to monitor for malicious activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2025, the Canadian Investment Regulatory Organization experienced a cyberattack that began with a sophisticated phishing attempt, leading to the compromise of some of its systems and the temporary shutdown of certain services. The organization confirmed that the breach did not affect its critical functions. CIRO’s internal investigation identified the incident as a data breach and determined that the attackers gained access to personal information held by the organization. On August 18, 2025, CIRO publicly disclosed the breach, stating that its preliminary review indicated that personal information of member firms and their registered employees had been affected.
The compromised data set included annual income, dates of birth, government‑issued identification numbers, phone numbers, investment account numbers, social insurance numbers, and account statements for approximately 750,000 individuals. CIRO emphasized that it does not store passwords, PINs, or security questions, so those types of credentials were not exposed in the incident. The organization noted that the information was obtained in the normal course of its regulatory activities, which involve collecting data from member firms to protect investors. CIRO said it has found no evidence that the stolen data has been misused and has not observed any related activity on the dark web.
CIRO stated that it is confident the incident is contained and that there is no active threat remaining in its environment. As a precaution, the organization continues to monitor for any malicious activity and is offering two years of free credit monitoring and identity theft protection services to all affected individuals. Notification letters have been sent to the impacted clients and former clients of CIRO dealer members, and an FAQ page has been published to provide additional details about the breach and the support being offered. CIRO remains a pan‑Canadian self‑regulatory body responsible for overseeing the business conduct of investment and mutual fund dealers across Canada.