In early October 2025, Canadian Tire Corporation (CTC) confirmed a data breach affecting one of its e-commerce databases. The incident exposed basic personal details of approximately 150,000 individuals, including names, addresses, emails, and years of birth. Some records also contained encrypted passwords and partial (incomplete) credit card numbers, similar to those found on store receipts. While no full financial data (e.g., Canadian Tire Bank or Triangle Rewards) was compromised, the exposed information remains valuable for cybercriminals to conduct targeted phishing, credential stuffing, or identity theft over time. CTC secured the vulnerability promptly and notified affected customers via TransUnion Canada, though not all impacted individuals received direct alerts. The breach, though limited in scope, underscores the long-term risks of even minor data exposures in fueling fraud and scams.
TPRM report: https://www.rankiteo.com/company/canadian-tire
"id": "can4192141103025",
"linkid": "canadian-tire",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '150,000',
'industry': 'Retail (General Merchandise, Automotive, '
'Sports, Apparel)',
'location': 'Canada',
'name': 'Canadian Tire Corporation (CTC)',
'type': 'Retail Corporation'}],
'customer_advisories': ['No action required if no notification received from '
'TransUnion Canada.',
'All customers advised to monitor for unusual '
'activity and potential phishing attempts.'],
'data_breach': {'data_encryption': 'Partial (passwords were encrypted; credit '
'card numbers incomplete)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '150,000',
'personally_identifiable_information': ['full names',
'physical addresses',
'email addresses',
'year of birth'],
'sensitivity_of_data': 'Moderate (limited PII but combinable '
'with other breaches for higher risk)',
'type_of_data_compromised': ['personal identifiable '
'information (PII)',
'partial payment information']},
'date_detected': '2025-10-02',
'date_publicly_disclosed': '2025-10-02',
'description': 'Early in October 2025, Canadian Tire Corporation (CTC) '
'confirmed a data breach exposing customer information from '
'one of its e-commerce databases. The breach was limited to '
'basic details of about 150,000 individuals, including names, '
'addresses, emails, and year of birth. Some records contained '
'encrypted passwords and incomplete credit card numbers '
'(similar to store receipts). The incident did not affect '
'Canadian Tire Bank or Triangle Rewards data. CTC secured the '
'system promptly and continues to strengthen defenses. '
'Affected customers are being notified by TransUnion Canada '
'via email or mail. The exposed data, though limited, poses '
'risks for phishing, credential stuffing, and identity theft '
'if combined with other breached data.',
'impact': {'brand_reputation_impact': 'Potential long-term risk due to '
'phishing and identity theft concerns',
'data_compromised': ['names',
'addresses',
'emails',
'year of birth',
'encrypted passwords (partial)',
'incomplete credit card numbers (last 4 '
'digits or similar to receipts)'],
'identity_theft_risk': 'High (due to combination with other '
'breached data)',
'payment_information_risk': 'Low (only incomplete/partial credit '
'card numbers exposed)',
'systems_affected': ['e-commerce database']},
'investigation_status': 'Contained; ongoing defense strengthening',
'post_incident_analysis': {'corrective_actions': ['Strengthening e-commerce '
'database defenses '
'(specifics undisclosed)']},
'recommendations': ['Monitor for phishing emails and scams targeting exposed '
'data (e.g., fake refund offers).',
'Use services like Bitdefender Digital Identity '
'Protection to scan for exposed personal data on the dark '
'web.',
'Enable multi-factor authentication (MFA) on accounts '
'linked to the exposed email addresses.',
'Regularly update passwords, especially if they were '
'encrypted in the breach.',
'Be cautious of unsolicited communications requesting '
'personal or financial information.'],
'references': [{'source': 'Canadian Tire Corporation Data Breach Notice'},
{'source': 'Bitdefender Advisory on CTC Breach'}],
'response': {'communication_strategy': ['Direct notifications via TransUnion '
'Canada (email/mail)',
'Public breach notice'],
'containment_measures': ['Secured the affected e-commerce '
'database'],
'incident_response_plan_activated': 'Yes (system secured '
'promptly)',
'remediation_measures': ['Strengthening defenses (details '
'unspecified)'],
'third_party_assistance': ['TransUnion Canada (customer '
'notifications)']},
'stakeholder_advisories': 'Customers with detailed exposed data notified via '
'TransUnion Canada.',
'title': 'Canadian Tire Corporation (CTC) E-Commerce Database Breach',
'type': ['data breach', 'unauthorized access']}