Toys "R" Us Canada

Toys "R" Us Canada disclosed a data breach where an unauthorized third party copied customer records, including names, addresses, emails, and phone numbers, from its databases. The stolen data was posted on the unindexed internet (potentially the dark web), though no passwords, credit card details, or evidence of misuse were reported. The breach was discovered on July 30, but customer notifications were delayed. The company hired cybersecurity experts to confirm the incident, engaged legal counsel, and is reporting the breach to privacy regulators. While no financial or highly sensitive data was compromised, the exposure of personal information raises risks of phishing, spoofing, and fraudulent schemes targeting affected customers. The company advised vigilance against suspicious communications and committed to enhancing security measures to prevent future incidents.

Source: https://edmonton.citynews.ca/2025/10/23/toys-r-us-canada-data-breach/

TPRM report: https://www.rankiteo.com/company/toys'r'us-canada

"id": "toy4892948102325",
"linkid": "toys'r'us-canada",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Toys and Consumer Goods',
                        'location': 'Canada',
                        'name': 'Toys "R" Us Canada',
                        'type': 'Retail'}],
 'customer_advisories': 'Avoid responding to unexpected/unsolicited '
                        'communications; do not click on suspicious links or '
                        'download attachments; monitor for phishing/spoofing '
                        'attempts',
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'Low (no financial or highly sensitive '
                                        'personal data)',
                 'type_of_data_compromised': ['names',
                                              'addresses',
                                              'emails',
                                              'phone numbers']},
 'date_detected': '2023-07-30',
 'date_publicly_disclosed': '2023-09-07',
 'description': 'Toys "R" Us Canada notified customers of a data breach that '
                'may have compromised their personal information. The company '
                'learned on July 30 that someone had posted information on the '
                "'unindexed Internet' (possibly the deep or dark web) claiming "
                "to have stolen it from the company's databases. The breach "
                'was confirmed by cybersecurity experts, and affected records '
                'may include customer names, addresses, emails, and phone '
                'numbers. No passwords, credit card details, or similar '
                'confidential data were involved, and no evidence of misuse '
                'was found. The company is reporting the incident to privacy '
                'regulators and advising customers to be cautious of phishing '
                'and spoofing attempts.',
 'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
                                       'customer notification and public '
                                       'disclosure',
            'data_compromised': ['names',
                                 'addresses',
                                 'emails',
                                 'phone numbers'],
            'identity_theft_risk': 'Low (no sensitive data like passwords or '
                                   'credit card details compromised)',
            'legal_liabilities': 'Potential regulatory fines or actions '
                                 '(reporting to privacy regulators)',
            'payment_information_risk': 'None (no credit card details '
                                        'involved)'},
 'initial_access_broker': {'data_sold_on_dark_web': 'Data posted on the '
                                                    "'unindexed Internet' "
                                                    '(possibly dark web)'},
 'investigation_status': 'Ongoing (cybersecurity experts engaged, reporting to '
                         'regulators)',
 'post_incident_analysis': {'corrective_actions': 'Upgrading systems to '
                                                  'prevent similar incidents'},
 'recommendations': ['Customers advised to avoid responding to '
                     'unexpected/unsolicited emails or texts purporting to be '
                     'from Toys "R" Us',
                     'Customers warned not to click on links or download '
                     'attachments from suspicious emails',
                     'Customers advised to watch for phishing and spoofing '
                     'attempts'],
 'references': [{'date_accessed': '2023-09-07',
                 'source': 'Global News (or original news outlet)'}],
 'regulatory_compliance': {'regulatory_notifications': 'Reporting to privacy '
                                                       'regulators (Office of '
                                                       'the Privacy '
                                                       'Commissioner of '
                                                       'Canada)'},
 'response': {'communication_strategy': 'Customer email notification, advisory '
                                        'on phishing/spoofing risks',
              'incident_response_plan_activated': True,
              'remediation_measures': 'Upgrading systems to prevent similar '
                                      'incidents',
              'third_party_assistance': ['Cybersecurity experts']},
 'stakeholder_advisories': 'Customer email notification with guidance on '
                           'phishing/spoofing risks',
 'title': 'Toys "R" Us Canada Data Breach',
 'type': 'Data Breach'}