At least 750,000 Canadian investors had their personal and financial data stolen last August after hackers gained access to the IT system of a national investment regulatory body, and some of those investors in the Interlake said they’re just finding out about it now.
A partial list is shown of banking and financial organizations that share client data with CIRO. About 750,000 Canadian investors had their personal and financial information stolen last August after hackers gained access to CIRO’s system
The Canadian Investment Regulatory Organization (CIRO) is a private, self-regulatory organization that patrols investment and mutual fund dealers in Canada. CIRO has a mandate to protect Canadians from improper investment conduct and practices by overseeing the investment industry and ensuring compliance. CIRO obtains investors’ personal and financial data “in the normal course” of carrying out its mandate.
Its IT system was hacked last August, resulting in access to and exfiltration of a suite of personal and financial information of investors – as well as investment brokers – that included legal name, date of birth, social insurance number, passport information, bank account number(s), financial information, gender, eye colour, height, address, telephone number, email address, beneficiary information, and criminal or civil disclosures.
Two investors whose data was stolen shared parts of a letter they received from CIRO informing them of the breach. One investor lives on the west side of the Interlake and the other is affiliated with an Interlake resident who lives on the east side. Neither wants to be identified and only one investor shared their concerns.
CIRO had announced on its website via a news release dated Aug. 18, 2025, that it had identified a “cybersecurity threat” on Aug. 11, 2025, and it proactively shut down some of its systems. It stated in that release that “Canadians’ investments are not at risk.”
That major breach of security flew under the radar of the two investors. And they were blindsided last week when they received a letter from CIRO.
“After an extensive investigation which included a complex review of the impacted data to identify affected individuals, our investigation now indicates that your personal information was accessed during this incident,” states CIRO’s Jan. 14, 2026, letter to the investor who agreed to speak with the paper. “Unfortunately, this includes your address, phone number, social insurance number, account number.”
The investor said not only did they just become aware of CIRO’s breach, but they had also not been given a heads-up from their financial institution.
“I learned about the breach last week and then received a letter in the mail on Friday [Jan. 30] confirming that my information may have been affected,” said the investor. “I didn’t receive any notification directly from my financial institution, which was frustrating.”
As regards CIRO’s failure to protect their data, the investor said their ability to trust has taken a hit.
“I’m careful about protecting my personal and financial information and I take that responsibility seriously, so it’s disappointing to learn that data I trusted to others to safeguard was compromised,” they said. “I’ve always been an advocate for privacy and data protection, and this has affected my trust.”
CIRO offered the 750,000 Canadians affected by the breach two years’ worth of credit-monitoring services through Equifax and TransUnion, and the investor said they’ll be taking up that offer, as well as keeping a “close eye” on their accounts. That said, they don’t think two years of monitoring goes far enough as their stolen data could be used in perpetuity.
“Data like this can be misused years down the road, and long-term monitoring should be available to every customer who may have been affected. There’s a limit to what individuals can realistically do to be secure. At some point, stronger protections have to be in place at a higher level, and government needs to act,” they said. “I think CIRO and the financial institutions involved need to be transparent, communicate clearly and provide ongoing support to those affected. This shouldn’t end with a letter – people deserve reassurance that real improvements are being made to prevent this from happening again.”
CIRO’s letter to the other investor is nearly identical, including its issue date, but it states the investor’s date of birth was accessed in addition to other vital information.
Both letters indicate a possibility – by use of the word “includes” – that the two investors may have had more personal and financial information stolen that what the letters spell out.
CIRO lists on its website hundreds of financial institutions from which it obtains investors’ data. These “dealers” include well known names such as BMO Nesbitt Burns, CIBC World Markets, National Bank Financial, RBC Dominion Securities, TD Waterhouse Canada, Assante Capital Management, Aviso Financial, Desjardins Securities, Investors Group Securities, Richardson Wealth, Sun Life Canada Securities, and Morgan Stanley Canada. Credit unions offering investment services have partnerships with some of the large financial companies listed.
Hackers can do a lot of damage with stolen personal and financial data. They can clone it several times over and sell it on the dark web to other criminals or impersonate an individual to open a bank account, apply for loans, apply for credit cards, make purchases, steal the title to a property and sell it, apply for an additional mortgage, or demand a ransom in exchange for a promise to not sell the data. They can also attempt to access victims’ accounts and change passwords.
Bill Buckels lives in the Interlake and is a retired systems analyst, software engineer and wealth systems manager. The Express asked him to explain what he believes happened as he used to build IT systems for large financial companies in Canada, the U.S. and internationally, including RBC Dominion Securities, National Bank, various stock exchanges and international banking systems. He said he knows how data security should be structured, and it’s clear that CIRO’s IT system was not built to do information hiding.
“In my day, the protocol was to hide client information and never transmit that data across the Internet. Ever. Not if you wanted to have system integrity. Internal IT systems can be set up in such a way that there’s a complete separation between transactions and clients so that client data would never be exposed,” said Buckels.
“CIRO’s security lapse is a serious breach of the personal and financial data of three quarters of a million Canadian investors. And what’s equally serious is that CIRO didn’t inform some of those investors – we don’t know exactly how many – about what happened until maybe a month later or over four months later, according to the class-action lawsuit, after its system was hacked. This to me is criminal negligence on the part of the CIRO board. They enabled this data breach by not doing their proper due diligence with regard to IT and data security. The board is in charge; they have the keys to the place and they left all the doors unlocked.”
He’s questioning why CIRO needs to have investors’ personal data in the first place as that information should be held only by banks and financial institutions.
“CIRO is a private oversight committee, not a police force, and it should never have been able to copy investors’ data from the servers of banks and financial institutions. The system CIRO is using actually makes a second copy of client data – it’s called cloning – even though it’s encrypted. CIRO’s system puts that copy on their own server, whose soft underbelly was exposed because CIRO failed to protect it. So if it can’t protect its server, why isn’t CIRO using an IT system that doesn’t identify clients?” he said.
“CIRO could carry out its oversight duties by using a system that uses a transaction number it gets from a financial institution that’s following a certain set of business rules, rules that comply with regulatory oversight. The transfer of data should use the language of the so-called geeks and nerds who put everything in code. There should be no human-language data available to CIRO. This organization shouldn’t be able to know investors’ personal information …. The way to separate financial reporting from client information is through an information-hiding system.”
When people used to go to HIV clinics for testing back in the 1980s at a time when there was a huge stigma around the virus, Buckels said the clinic would assign people a number instead of a name and do anonymous testing. CIRO should have had that kind of system – and should have that going forward – in order to protect client information.
In addition to CIRO’s board being at fault for failing to secure investors’ data, he puts the weak security protocol down to the attitude of Gen Y and Gen Z who are building the IT systems of today and failing to question systems that look at data from a “non-machine” point of view.
“When did CIRO implement this IT system? I guess we’d have to ask CIRO – and we’d have to ask Gen Y and Z, as well, as they invented these systems and these rules. This is like having the fox guarding the hen house,” said Buckels. “I don’t know any reason why CIRO would need to know client data. But they think it’s okay to transmit it over the Internet and store copies of it on their server. There’s a level of arrogance here, too, where they think their system can’t be hacked, that whatever level of encryption they’re using is secure enough to allow them to store sensitive data and do queries on their server. CIRO is not competent and should be shut down.”
As for the role of banks and financial institutions sharing investors’ data with CIRO, Buckels said he’s sure they’re “hiding behind regulation to deny their fiduciary responsibility.”
He thinks two years’ worth of credit monitoring is “insulting” as 750,000 Canadians will need new social insurance numbers, new bank accounts, new driver’s licenses and so forth to better protect themselves.
He reached out to federal finance minister François-Philippe Champagne and the Manitoba Securities Commission to request a criminal investigation of CIRO under Section 219 of the Criminal Code, he said.CIRO committed “architectural malpractice” by abandoning foundational principles of information hiding and created a “sniffer’s paradise” (sniffer refers to computing tools used to capture or intercept data packets flowing across networks).
The Express contacted CIRO, asking how many hours or days CIRO’s system was breached, how far back in time the compromised data go, why CIRO needs to clone clients’ personal information, how many years it has been cloning client data, how exactly is CIRO enhancing its IT system in the aftermath of the breach, whether it will continue to have future access to investors’ personal data, and whether it thinks it’s competent to continue its regulatory role.
Apart from the question pertaining to cloning data, CIRO’s director of corporate communications and public affairs, Sean Hamilton, declined to answer the questions, saying the newspaper can find those answers on its FAQ page, news release and “about us” page.
The paper could not find answers to its questions through those sources.
Hamilton offered a statement denying that CIRO “clones or transmits” data, saying CIRO is on the receiving end for data.
“To be clear, CIRO does not clone or transmit personal information. CIRO receives information in the normal course of carrying out its regulatory mandate to protect investors from improper investment conduct and practices, and conducting its investigative, compliance assessment and market surveillance work,” said Hamilton.
But CIRO is being sued for allowing the personal and financial information of 750,000 Canadians that it holds as copies in its system to be stolen. An application for a class-action lawsuit against CIRO was brought before the Quebec Superior Court on Oct. 6, 2025.
It states CIRO failed to implement adequate cybersecurity and data protection measures, and committed a fault inconsistent with the trust placed in it by registrants, investors and the public. And CIRO is being “summoned” to retain all investigation reports and findings related to the breach, including “copies of the stolen data sets.”
The full text of the suit is available on Lex Group Inc.’s website.
In addition to offering credit monitoring through Equifax and TransUnion for two years, CIRO said in its letter to compromised investors that credit-monitoring service includes monitoring the dark web for Canadians’ stolen data.
Equifax itself was hacked in 2017, resulting in a major data breach that accessed names, addresses, social insurance numbers and in some cases the credit cards of about 100,000 Canadians, as well as the personal data of 143 million Americans. The breach was caused by Equifax’s failure to patch a software vulnerability.
The Express contacted the Manitoba Securities Commission (MSC), whose website notes CIRO’s cybersecurity breach and states that CIRO wants investors with questions to contact them [i.e., CIRO].
The paper asked MSC how many Manitoba investors out of the 750,000 had their personal and financial data stolen, when MSC found out about CIRO being hacked, why financial institutions in Manitoba didn’t notify their investment clients about the data theft, whether Docusign (electronic signatures) was part of the data breach, and what MSC is doing to protect Manitobans’ data.
The commission did not respond.
