A data breach at Canada’s investment watchdog, Canadian Investment Regulatory Organization (CIRO), impacted about 750,000 people.
The Canadian Investment Regulatory Organization (CIRO) is Canada’s national self-regulatory body overseeing investment dealers and marketplaces, protecting investors, enforcing compliance, and maintaining fair, efficient capital markets.
CIRO announced that threat actors stole personal data of 750,000 people in an August 2025 phishing attack. The breach forced some systems offline but did not disrupt critical operations.
CIRO stated it contained the security incident, found no ongoing threat, and confirmed that data tied to member firms and registered employees was affected.
In August 2025, CIRO detected a cyber incident and contained it quickly. The organization notified authorities and launched a forensic investigation with the help of cybersecurity experts. The organization revealed that a limited set of investigative and investor data was copied.
“In August 2025, CIRO identified a cybersecurity incident. We took immediate steps to contain the incident, secure our systems and protect the information in our care. We notified law enforcement and all relevant authorities including privacy commissions across Canada.” reads the FAQ page published by CIRO. “Once contained, we retained a leading third-party forensic IT investigator to determine what information was impacted. After more than 9,000 hours of review, that investigation determined that a limited subset of investigative, compliance and market surveillance data, including some of investor information, was copied from our system.”
CIRO said the breach exposed sensitive personal and financial data, including income, IDs, contact details, account numbers, and statements collected as part of its regulatory and investigative activities. CIRO noted that no passwords or PINs were exposed and said it found no evidence of data misuse or any exposure or activity on the dark web.
“CIRO received this information in the normal course of carrying out its regulatory mandate to protect investors from improper investment conduct and practices, and through its investigative, compliance assessment and market regulation work,” the organization says. “CIRO will delete investor information when no longer required for its investigative, compliance assessment and market surveillance work, however we are unable to process individual deletion requests.”
CIRO is continuing to monitor for malicious activity and is offering affected individuals two years of free credit monitoring and identity theft protection.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Canadian Investment Regulatory Organization)
