CIRO discloses scale of August 2025 cyber incident
A phishing attack on CIRO exposed personal and financial data linked to hundreds of thousands of people across Canada.
Canada’s investment regulator has confirmed a major data breach affecting around 750,000 people after a phishing attack in August 2025.
The Canadian Investment Regulatory Organization (CIRO) said threat actors accessed and copied a limited set of investigative, compliance, and market surveillance data. Some internal systems were taken offline as a precaution, but core regulatory operations continued across the country.
CIRO reported that personal and financial information was exposed, including income details, identification records, contact information, account numbers, and financial statements collected during regulatory activities in Canada.
No passwords or PINs were compromised, and the organisation said there is no evidence that the stolen data has been misused or shared on the dark web.
Affected individuals are being offered two years of free credit monitoring and identity theft protection as CIRO continues to monitor for further malicious activity nationwide.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!