CIRO Confirms August Phishing Attack Affecting 750,000 Canadian Investors

The Canadian Investment Regulatory Organization (CIRO) has confirmed that a sophisticated phishing attack, first disclosed in August 2025, has compromised the personal information of approximately 750,000 Canadian investors.

CIRO said it is contacting those affected and will provide two years of free credit monitoring and identity theft protection through two major credit agencies. Impacted investors will receive detailed instructions on how to activate these services.

Data at Risk

The breach may have exposed sensitive information, including dates of birth, phone numbers, annual income, social insurance numbers, government-issued ID numbers, investment account numbers, and account statements. CIRO emphasized that account login details such as passwords, PINs, and security questions were not collected and therefore were not at risk.

Investigation Findings

The regulator launched a full investigation with external cybersecurity experts. Early findings showed that registration information for member firms and registered individuals had been affected. CIRO shared those results publicly and directly with members and registrants at the time. After more than 9,000 hours of forensic review, CIRO has now confirmed the full scope of the incident.

No Evidence of Misuse

CIRO stated there is currently no evidence that the information has been misused. Ongoing monitoring has not detected any malicious activity or exposure of the data on the dark web.

In this cybersecurity breach, only certain clients or former clients of CIRO dealer members were impacted. Notification letters to affected clients began on January 14, 2026.