CIRO Reports Data Security Incident Affecting 750,000 Canadian Investors

The Canadian Investment Regulatory Organisation reported that a data security incident it experienced last year exposed the sensitive personal information of approximately 750,000 Canadian investors.

 

The Canadian Investment Regulatory Organisation (CIRO) is Canada’s national self-regulatory authority for the investment industry, established in 2023 through the merger of IIROC and the MFDA. It oversees investment dealers, mutual fund dealers, and trading across debt and equity markets, with a mandate to protect investors by setting rules, enforcing standards, and maintaining market integrity.

 

In a data security incident notice published on its website, CIRO reported that on August 11, it detected unauthorised activity within its internal network.

 

The organisation immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident. It also took steps to secure the affected systems including taking them offline and notified relevant law enforcement authorities about the same.

 

“On August 17, preliminary investigative results indicated that some personal information of member firms and their registered employees was affected,” CIRO said.

 

The compromised data included names, dates of birth, phone numbers, annual income, social insurance numbers, government issued ID numbers, investment account numbers and account statements.

 

CIRO said no account login details, such as passwords, security questions, or PINs, were compromised, and emphasised that Canadians’ investments are not at risk. The organisation holds only limited investor information for compliance purposes and will notify affected individuals and provide risk-mitigation services if its investigation confirms any impact.

 

In a seperate update, the organisation said that it has identified approximately 750,000 Canadian investors impacted by the incident.

 

CIRO has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities.

 

It has also offered complimentary identity protection and credit monitoring services to all affected individuals.

 

Commenting on the data security incident, Andrew Kriegler, President and CEO of CIRO, said, “We are intent on doing right by those who are personally affected. We take our public interest role very seriously. Matters of privacy and security are extremely important to us, as are our guiding organisational values of transparency and accountability. That’s why we remain committed to further strengthening our own cybersecurity defences and data security practices and supporting the ongoing efforts of the broader investment industry.”