“It’s going to be a process.”
That’s what Andrew Kriegler, CEO of the Canadian Investment Regulatory Organization (CIRO), said about the ongoing regulatory response to CIRO’s August data breach. That response includes re-evaluating the types of data that the regulators collect, Kriegler said. At the end of the process, CIRO aims to be “best in class,” he said. Kriegler made the comments in mid-October at the annual conference of the Securities and Investment Management Association.
In the aftermath of the CIRO breach, which exposed personal information of registrants past and present, financial advisors are also undergoing a process — of ongoing credit monitoring and guarding against identity theft.
Advisors are hardly alone, however. The proportion of Canadians age 15 and older experiencing cybersecurity incidents — from unsolicited spam to fraudulent payment card use — increased to 70% in 2022 from 58% in 2020, according to the Canadian internet use survey sponsored by Innovation, Science and Economic Development Canada.
In 2021, the Canadian Anti-Fraud Centre issued a warning about increased identity-fraud reporting: “Fraudsters are using personal information about Canadians to apply for government benefits, credit cards, bank accounts, cell phone accounts or even take over social media and email accounts,” the centre says on its website. “It is important that Canadians take steps to secure their personal and financial information and know what to do when identity fraud occurs.”
What individuals should do after a data breach
- Harden accounts: change all passwords, enable multi-factor authentication
- Protect your financial identity: use credit monitoring, add fraud alerts, freeze credit files (for those in Quebec)
- Monitor for long-tail fraud (of particular importance when passwords or personally identifiable information has been exposed, such as email, bank account number or passport number). Identity theft often occurs 12–36 months after a breach: unauthorized credit applications, account changes at financial institutions or the Canada Revenue Agency, SIM swaps, invoices and accounts you didn’t create
- Watch for targeted phishing: stolen personal information is used to create hyper-personalized scams, aided by AI
Source: Darace Rose
Darace Rose, co-founder and CEO of cybersecurity firm Oppos Inc. in Mississauga, Ont., said a data breach is “the beginning of a long-term identity risk.”
When individuals are informed of a breach, they should “harden” their digital footprint — “the most important step after a breach,” Rose said. That includes updating passwords, beginning with email. Rose suggested using passphrases instead of creating passwords using personal information such as birth dates. Passwords should be regularly updated, he added.
Patrick Boudreau, TransUnion Canada’s head of fraud in Toronto, said multi-factor authentication (MFA) should be enabled on accounts, including social media accounts. Use app-based MFA instead of SMS-based (short message service), which can potentially be bypassed, Rose said.
Also, ensure that no personal information is associated with your social media accounts. “When it comes to social media … never add … your real date of birth, address, telephone number [or] email,” Boudreau said.
All of that information was part of the CIRO data breach. Other personal information that may have been exposed included height, weight and eye colour — information that caught the attention of Julie Kuzmic, head of consumer advocacy and compliance with Equifax in Toronto. “You don’t tend to read a lot about that sort of data being breached,” she said. The concern is that, generally, “the more information someone is able to compile on an individual, the potential greater risk that there may be an opportunity to [use] that person’s identity.”
Bad actors could call or email you, trying to get the missing pieces of personal information they need to obtain a “full wholesome identity,” Boudreau said. “Be cautious of any inbound calls” and “be hyper-vigilant” when it comes to emails, refraining from clicking links or opening attachments that are suspicious.
Firms typically pay for two years of credit monitoring and identity theft protection following data breaches, as CIRO did (the registration deadline is Jan. 31). Rose suggested up to 36 months of credit monitoring following a data breach, particularly when passwords or personally identifiable information has been exposed.
“What people don’t realize is that identity theft is a slow-burn crime,” Rose said. “Your data can circulate on criminal marketplaces for years.” (He said he uses ongoing credit monitoring with one of the credit bureaus.)
Fraudsters could sit on breached data until the typical two years of credit monitoring have passed, Boudreau said.
People don’t necessarily have to pay for credit monitoring. You can access your credit report online for free, with monthly updates provided by the credit bureaus. “At the very least, we recommend as a best practice that every consumer pull their credit file once a year,” Boudreau said, and that they investigate any activity they don’t recall.
Further, “anybody in Canada can put either a fraud warning or identity alert on their credit report — that’s free,” Kuzmic said. (A fraud warning and identity alert are the same thing; which term is used depends on provincial legislation.)
CIRO suggested placing alerts on your credit report.
Depending on the province, lenders may or may not be legally required to comply with the alert request, Kuzmic said; regardless, “it does seem to be effective, because we don’t hear of cases where the person didn’t get called.”
The ability to lock or freeze your credit file to prevent new applications in the first place is currently available only in Quebec. In Ontario, new regulations that provide for freezing will come into force in July 2026, with the credit bureaus having another year to meet the requirements.
These statutory freezes help address shortcomings associated with credit monitoring, suggests Claudiu Popa, co-founder and chairman of KnowledgeFlow Cybersecurity Foundation in Toronto, a nonprofit that advocates for cybersafety.
For example, credit monitoring is reactive, not preventative, and offers of free credit monitoring normalize data loss as a minor inconvenience, Popa writes in a blog post. With statutory powers such as freezes, “the onus for preventing misuse of consumer data moves away from individual vigilance and back toward institutional responsibility and oversight.”
Kuzmic said she expects credit report freezing to eventually roll out in other provinces. However, in harmonizing, there are operational challenges to address — particularly for credit unions and small lenders that operate in a single province, she said.
Focus on credit reports, not credit scores
Credit reports include credit scores, which can bring up a lot of emotions. “It is so important to remind people that credit scores are not moral judgments,” Kuzmic said.
Credit bureaus calculate multiple credit score versions (scores range from 300 to 900), with the same data weighted differently, she said. A bank or other lender has a proprietary strategy to approve loans based on the score version it uses.
So, while scores can change, scores “all are using the credit report data as the input,” Kuzmic said. That means “the important thing to focus on is your credit report data, not the number of the score.”
Also, consumers in the highest range of any score version, which tends to be about 750 or 760, don’t need to improve their scores, she said. For example, two consumers with scores of 780 and 880, respectively, in the same score version would be viewed by lenders as identical on score alone. “It’s not 780 out of 900,” Kuzmic said.
In addition to credit monitoring, dark web monitoring is included in the services provided by Equifax and TransUnion to those affected by the CIRO breach (and other providers also offer dark web monitoring). The dark web monitoring will “alert you if your information is ever detected online at any point in the future, whether from this incident or elsewhere,” CIRO’s website says.
Rose generally recommends dark web monitoring, because stolen passwords can be reused in credential stuffing attacks or exploited through SIM swaps. (The CIRO breach didn’t involve passwords, and CIRO says there is no evidence of any of the breached data being posted on the dark web so far.)
For example, with a SIM swap, a bad actor asks your cell phone provider for a new SIM card in your name, and thereby gains access to your accounts.
However, “the telcos have gotten super smart over the last 12 months, so they’re not easily switching the SIMs out,” Rose said.
Notable breaches
Large data breaches in Canada include the LifeLabs Inc. breach, which affected about 15 million people, and the Desjardins Group breach, which affected about 10 million people. Both breaches occurred in 2019 and involved settlements.
Equifax had a massive data breach in the U.S. in 2017, which affected almost half of Americans as well as about 19,000 Canadians, Kuzmic said. The breach resulted in a settlement with the U.S. Federal Trade Commission and others, and included requirements to implement an information security program.
Equifax subsequently invested billions in IT infrastructure, and continually upgrades and monitors its system, Kuzmic said. She also noted certain safeguards; for example, credit report information is now masked, so that full numbers aren’t visible. “Part of the reasoning for that is if it did get into the wrong hands, it’s not much data,” she said.
TransUnion in the U.S. had a breach this past summer involving a third-party vendor, as noted on CIRO’s website; the breach didn’t include credit reports, according to a copy of a notice to affected Maine residents.