Securities Regulator Reveals Last Summer’s Data Breach Impacted 750,000 Investors
The Canadian Investment Regulatory Organization (CIRO) recently disclosed that a data breach last summer affected 750,000 investors, significantly expanding the initial estimates. This was the result of a sophisticated phishing attack identified on August 11, prompting a prolonged investigation that took over 8,000 hours to complete.
Impact of the Data Breach on Investors
CIRO has begun notifying the affected investors via mail and email, alerting them to the compromised information. The breach might have exposed a variety of sensitive data, including:
- Dates of birth
- Phone numbers
- Annual income
- Social insurance numbers
- Government-issued ID numbers
- Investment account numbers
- Account statements
However, CIRO has confirmed that account login details, such as passwords and security questions, were not part of the breach.
Regulatory Response and Investigation
Following the breach, CIRO swiftly shut down affected systems as a safety precaution and informed member firms within 24 hours. The organization enlisted third-party cybersecurity experts to evaluate the extent of the breach. Initially, CIRO communicated that only registrant information was compromised but later revised that assessment.
CIRO’s chief executive, Andrew Kriegler, emphasized the importance of safeguarding personal information and reassured stakeholders that there was no evidence of data misuse or exposure on the dark web. The comprehensive investigation revealed that the breach involved registration information for about 100,000 financial advisors.
Next Steps for Affected Investors
Each affected investor will receive a letter or email about the incident, dated January 14. To mitigate potential identity theft, CIRO is offering two years of credit monitoring and identity theft protection services through Equifax and Transunion.
Letters informing investors could take several weeks to arrive. CIRO has committed to enhancing cybersecurity practices following the breach to prevent future incidents.
Class-Action Lawsuit
A former investment adviser has filed a class-action lawsuit against CIRO, alleging negligence for the delay in notifying affected individuals. The complaint highlights a lag of over 30 days before the advisories were sent out, increasing the risk of fraud for those impacted. The lawsuit seeks damages of at least $1,000 per member, along with punitive damages.
CIRO has responded to these allegations, asserting that the organization acted appropriately and within a reasonable timeframe to manage the breach and inform those affected.
