Approximately 750,000 Canadian investors were affected by a sophisticated phishing attack first disclosed in August 2025.
The self-regulatory organization announced the full extent of the breach on January 14, 2026. After completing a comprehensive forensic investigation spanning over 9,000 hours of examination.
The unauthorized access resulted from a targeted phishing campaign that compromised sensitive investor data held by CIRO in the course of its regulatory mandate.
The impacted information includes dates of birth, phone numbers, annual income figures, social insurance numbers, government-issued identification numbers, investment account numbers, and account statements.
CIRO emphasized that the organization did not collect account login credentials, such as passwords, security questions, or PINs, and therefore remained secure throughout the incident.
The breach affected only specific clients and former clients of CIRO dealer members. CIRO President and CEO Andrew Kriegler issued an apology, stating the organization is committed to supporting those personally affected.
While strengthening cybersecurity defenses and data security practices across the broader investment industry.
Response and Mitigation Measures
CIRO responded by immediately containing the incident and securing its systems upon discovery.
The organization engaged leading third-party forensic IT investigators and notified law enforcement agencies and relevant privacy commissioners.
The preliminary investigation initially revealed that registration information for member firms and registered individuals had been compromised, prompting immediate notification to affected parties.
As a precautionary measure, CIRO is providing impacted investors with two years of complimentary credit monitoring and identity theft protection services through both major credit agencies.
The organization reports no current evidence of information misuse and continues monitoring for malicious activity.
No threat activity or data exposure has been identified on the dark web as of the announcement date.
Affected investors began receiving notification letters from CIRO on January 14, 2026, with detailed instructions for activating protection services.
Individuals who believe they may have been impacted can verify their status through CIRO’s dedicated cyber incident webpage.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
