CIRO, Canada’s investment industry regulator, suffered a data breach on August 11 when hackers targeted its systems, potentially accessing sensitive personal information of current and former registrants, including top executives from major banks (RBC, TD, Scotiabank, BMO, CIBC) and wealth management firms. Compromised data may include full names, residential addresses, emails, phone numbers, birth dates/places, passport details (for non-Canadians), bank account numbers (if part of financial solvency disclosures), investment/beneficiary details, civil/criminal disclosures, and investigation notes. While SINs, credit card details, and direct payment info were not exposed, the breach impacts high-profile individuals (CEOs, CFOs, CCOs, traders, and UDP-designated compliance officers) across capital markets, wealth management, and brokerage sectors. CIRO proactively shut down some systems upon detecting the threat (August) but delayed notifications until September 9 for affected individuals (firms were alerted August 18). The regulator claims no risk to individual investments but acknowledges potential reputational harm, identity theft risks, and operational disruptions for member firms. The incident underscores vulnerabilities in regulatory bodies handling high-value financial sector data, with implications for trust in compliance oversight and potential follow-on phishing or fraud schemes targeting exposed executives.
TPRM report: https://www.rankiteo.com/company/ciro-canadian-investment-regulatory-organization
"id": "cir4144141100325",
"linkid": "ciro-canadian-investment-regulatory-organization",
"type": "Breach",
"date": "5/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Current and former registrants '
'of member firms (including '
'executives, supervisors, '
'traders, investors, and '
'senior-level employees at '
'financial institutions)',
'industry': 'Financial Services Regulation',
'location': 'Canada',
'name': 'Canadian Investment Regulatory Organization '
'(CIRO)',
'type': 'Regulatory Body'},
{'customers_affected': 'Senior executives in capital '
'markets, wealth management, and '
'investment brokerages',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Bank of Montreal (BMO)',
'size': 'Large',
'type': 'Bank'},
{'customers_affected': 'Senior executives in capital '
'markets, wealth management, and '
'investment brokerages',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Bank of Nova Scotia (Scotiabank)',
'size': 'Large',
'type': 'Bank'},
{'customers_affected': 'Senior executives in capital '
'markets, wealth management, and '
'investment brokerages',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Canadian Imperial Bank of Commerce (CIBC)',
'size': 'Large',
'type': 'Bank'},
{'customers_affected': 'Senior executives in capital '
'markets, wealth management, and '
'investment brokerages',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Royal Bank of Canada (RBC)',
'size': 'Large',
'type': 'Bank'},
{'customers_affected': 'Senior executives in capital '
'markets, wealth management, and '
'investment brokerages',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Toronto-Dominion Bank (TD Bank)',
'size': 'Large',
'type': 'Bank'},
{'customers_affected': 'Senior executives',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Richardson Wealth',
'type': 'Wealth Management Firm'},
{'customers_affected': 'Senior executives',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Wellington Altus',
'type': 'Wealth Management Firm'},
{'customers_affected': 'Senior executives',
'industry': 'Financial Services',
'location': 'Canada',
'name': 'Canaccord Genuity Group Inc.',
'type': 'Financial Services Firm'}],
'customer_advisories': 'Letters sent to affected individuals with guidance on '
'protecting themselves; CIRO stated individual '
'investments are not at risk',
'data_breach': {'data_exfiltration': 'Likely (data accessed by hackers)',
'personally_identifiable_information': ['Names',
'Residential '
'addresses',
'Email addresses',
'Telephone numbers',
'Birth dates',
'Places of birth',
'Passport information '
'(for non-Canadian '
'citizens)'],
'sensitivity_of_data': 'High (includes PII, financial, and '
'legal investigation data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Information (partial)',
'Investment Information '
'(partial)',
'Legal/Investigation '
'Information']},
'date_detected': '2024-08-11',
'date_publicly_disclosed': '2024-09-10',
'description': 'Top Bay Street executives and registered individuals received '
'notifications that their personal information may have been '
'accessed during a data breach at Canada’s investment industry '
'regulator, CIRO. The breach occurred on August 11, 2024, when '
'hackers targeted the self-regulatory organization. Personal '
'data such as names, addresses, email addresses, phone '
'numbers, birth dates, places of birth, bank account numbers '
'(if included in financial solvency disclosures), investment '
'and beneficiary information, civil/criminal disclosures, '
'investigation notes, and passport information for '
'non-Canadian citizens were potentially compromised. CIRO '
'confirmed that social insurance numbers and credit '
'card/payment information were not disclosed. The regulator '
'proactively shut down some systems upon detecting the threat '
'on August 11 and began notifying affected individuals on '
'September 9, 2024.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to CIRO '
'and affected financial institutions',
'data_compromised': ['Personal names',
'Residential addresses',
'Email addresses',
'Telephone numbers',
'Birth dates',
'Places of birth',
'Bank account numbers (if included in '
'financial solvency disclosures)',
'Investment and beneficiary information (if '
'included in disclosures)',
'Civil and criminal disclosures',
'Investigation notes',
'Passport information (for non-Canadian '
'citizens)'],
'downtime': 'Partial (some systems proactively shut down as a '
'precaution)',
'identity_theft_risk': 'High (due to exposure of personally '
'identifiable information)',
'operational_impact': 'Notification process initiated; '
'investigation ongoing',
'payment_information_risk': 'Low (credit card/payment information '
'confirmed not disclosed)'},
'initial_access_broker': {'high_value_targets': ['Executives at major '
'Canadian banks and wealth '
'management firms']},
'investigation_status': 'Ongoing (CIRO investigating the breach and its '
'impacts)',
'references': [{'date_accessed': '2024-09-10',
'source': 'The Globe and Mail',
'url': 'https://www.theglobeandmail.com'}],
'regulatory_compliance': {'regulatory_notifications': 'CIRO notified '
'investment firms on '
'August 18, 2024; '
'individuals notified '
'starting September 9, '
'2024'},
'response': {'communication_strategy': 'Letters sent to affected individuals '
'(starting September 9, 2024); '
'investment firms notified on August '
'18, 2024',
'containment_measures': 'Proactive shutdown of some systems to '
'ensure safety',
'incident_response_plan_activated': 'Yes (systems proactively '
'shut down; investigation '
'initiated)'},
'stakeholder_advisories': 'CIRO working with Canadian Bankers Association and '
'member banks to understand impacts',
'title': 'Data Breach at Canadian Investment Regulatory Organization (CIRO)',
'type': ['Data Breach', 'Unauthorized Access']}