**DATA BREACH ROCKS CANADA'S INVESTMENT WATCHDOG, IMPACTING 750,000 PEOPLE**

A devastating data breach has struck Canada's investment watchdog, the Canadian Investment Regulatory Organization (CIRO), exposing sensitive personal and financial information of approximately 750,000 individuals.

CIRO, responsible for overseeing investment dealers and marketplaces in Canada, is tasked with protecting investors, enforcing compliance, and maintaining fair and efficient capital markets. Unfortunately, a phishing attack in August 2025 resulted in the theft of personal data from nearly three-quarters of a million people.

The breach, which forced some systems offline but did not disrupt critical operations, has left many wondering about the security measures in place at CIRO. According to the organization's own statement, threat actors stole a limited set of investigative and investor data during the attack, copying sensitive information including income, IDs, contact details, account numbers, and statements collected as part of its regulatory and investigative activities.

Despite the severity of the breach, CIRO assures that no passwords or PINs were exposed. Additionally, there is no evidence to suggest that the stolen data has been misused or made available on the dark web. However, the organization is taking proactive steps to mitigate any potential harm by offering affected individuals two years of free credit monitoring and identity theft protection.

In a statement published on its FAQ page, CIRO explained the circumstances surrounding the breach:

"In August 2025, CIRO identified a cybersecurity incident. We took immediate steps to contain the incident, secure our systems and protect the information in our care. We notified law enforcement and all relevant authorities including privacy commissions across Canada."

CIRO retained a leading third-party forensic IT investigator to determine what information was impacted by the breach. After reviewing over 9,000 hours of data, the investigation revealed that a limited subset of investigative, compliance, and market surveillance data had been copied from their system.

The organization emphasized that it received this sensitive information in the normal course of carrying out its regulatory mandate to protect investors from improper investment conduct and practices. However, CIRO is unable to process individual deletion requests for investor information, citing its need to retain this data for investigative, compliance assessment, and market surveillance work.

As a precautionary measure, CIRO will continue to monitor for malicious activity and provide affected individuals with free credit monitoring and identity theft protection. The incident serves as a stark reminder of the importance of robust cybersecurity measures in protecting sensitive information and maintaining public trust.

Stay tuned for updates on this developing story by following me on Twitter: @securityaffairs, Facebook, and Mastodon (SecurityAffairs – hacking, Canadian Investment Regulatory Organization).