Canadian securities regulator data breach affects 750,000 investors

CIRO is a self-regulatory organization that oversees all investment dealers, mutual fund dealers and trading activity on Canada’s debt and equity marketplaces. The data breach affected registration information for member organizations and investors, who have been or are in the process of being notified.

“We deeply regret this occurred and apologize for any inconvenience or concern. CIRO is reaching out to affected investors to alert them of the incident and offering credit monitoring as an added precaution,” according to a new statement from the organization detailing the breadth of the breach.

When initially reported on Aug. 11, CIRO shut down some services and said some information about member firms and registered employees was affected.

Information that may have been taken from the organization may include dates of birth, phone numbers, annual income, social insurance numbers, government issued ID numbers, investment account numbers and account statements.

CIRO says that information, such as account login details, including passwords, security questions and PINs, are not collected by the organization, so that information is not at risk.

“We are intent on doing right by those who are personally affected,” said Andrew Kriegler, president and chief executive officer of CIRO, in the statement. “We take our public interest role very seriously … we remain committed to further strengthening our own cybersecurity defences and data security practices and supporting the ongoing efforts of the broader investment industry.”

The securities organization says that after 9,000 hours of investigation using third-party investigators, they have determined the extent of the breach, and so far, there is no evidence that information has been misused or is available on the dark web.

CIRO is reaching out to affected investors and providing them with two years of credit monitoring and identity theft protection.