About 750,000 Canadian investors were affected by the Canadian Investment Regulatory Organization’s (CIRO) cyberbreach last August, the regulator said in a release on Wednesday.
Investors’ compromised data may have included birth dates, phone numbers, annual income, social insurance numbers, government-issued ID numbers, investment account numbers and account statements. The investors may be current or former clients of CIRO dealer members.
“We deeply regret this occurred and apologize for any inconvenience or concern,” the regulator said in the release.
CIRO said it collected the investor information in “the normal course” of carrying out its regulatory mandate to protect investors from improper investment conduct and practices, and through its investigative, compliance assessment and market regulation work.
There is currently no evidence that the information has been misused, it said.
CIRO doesn’t collect account login details, such as passwords, security questions and PINs, and therefore that information wasn’t at risk, the release said.
On the regulator’s information page for affected investors, CIRO says it deletes investor information when no longer required for its investigative, compliance assessment and market surveillance work. “We are unable to process individual deletion requests,” it notes.
CIRO said it is reaching out to affected investors to alert them of the incident and offering two years of credit monitoring and identity-theft protection. Affected investors will be sent notification letters by email or regular mail, beginning on Wednesday, the release said.
“We are intent on doing right by those who are personally affected,” Andrew Kriegler, president and CEO of CIRO, said in the release. “We take our public interest role very seriously. Matters of privacy and security are extremely important to us, as are our guiding organizational values of transparency and accountability. That’s why we remain committed to further strengthening our own cybersecurity defences and data security practices and supporting the ongoing efforts of the broader investment industry.”
The breach — the result of a phishing attack — was detected last Aug. 11. CIRO originally reported that registration data was breached, including registrants’ personal information such as addresses, phone numbers, and eye and hair colour. All mutual fund and investment dealers and individuals were affected, the regulator said.
Member firms were originally notified of the breach on Aug. 18, according to the regulator, and CIRO began sending letters to registrants on Sept. 9 to inform them that their data were affected.
CIRO faces a potential class action arising from the incident. The class action application, filed in Quebec Superior Court last October, is on behalf of “all persons in Canada whose personal or financial information was held” by CIRO “and was compromised in the data breach … or who received an email or letter from [CIRO] informing them of such data breach.”
In Wednesday’s release, in which the regulator now confirms that hundreds of thousands of investors were also affected by the breach, the regulator said it “quickly contained the incident and took immediate steps” to secure its systems and protect the data.
“We notified law enforcement and all relevant authorities, including privacy commissioners,” CIRO said in the release. “A leading third-party forensic IT investigator was retained to determine what information was impacted.”
After a preliminary investigation, the regulator “immediately” shared the findings “publicly and directly” with member firms and registrants, the release said. “At that time, we noted the investigation was ongoing, and we committed to sharing the final findings of the e-discovery process once the review was complete,” CIRO said in the release. “After more than 9,000 hours of examination, we can now confirm the full extent of the incident.”