For current and past registrants affected by the Canadian Investment Regulatory Organization’s (CIRO) data breach last August, the opportunity to sign up for credit monitoring and identity-theft protection is coming to an end.
The deadline to register with Equifax and TransUnion is Saturday, Jan. 31, CIRO confirmed in an email. “We encourage anyone who received a letter [in fall 2025] and does not already have credit monitoring to sign up,” the regulator’s email said.
The uptake for credit protection services has been “in line with expectations,” the email said.
The 750,000 affected investors who receive a notification letter have until April 30 to register with Equifax and TransUnion, the email said. The regulator began sending notification letters to investors on Jan. 14, including through Canada Post, and it may take several weeks for letters to arrive, the CIRO website says.
“Registrants and investors should understand these services are provided as a precaution and in order to help detect possible misuse of information,” the regulator’s email said. “There is currently no evidence that the information has been misused. None of the information has appeared on the dark web.”
Among the tips to manage long-term identity-theft risk is to watch for targeted phishing, because stolen personal information can be used to create hyper-personalized scams, aided by AI.
In a risk-mitigation checklist for affected investors, FAIR Canada says, “When in doubt [about phishing attempts] contact your advisor or financial institution directly using official contact information.”
CIRO said it “directly notified those whose information was involved, providing them with clear guidance on next steps, including security best practices” as well as the credit and identity protection services.
“We remain fully committed to supporting member firms, registered individuals and investors as we work toward a comprehensive and appropriate resolution,” the regulator’s email said.