Canada’s investment industry regulator has disclosed significant details about a data breach impacting 750,000 investors that occurred last summer. The Canadian Investment Regulatory Organization (CIRO) announced it began notifying affected clients this week, indicating the breach was broader than previously reported.
Details of the Data Breach
CIRO revealed that hackers gained access to personal data and account statements following a sophisticated phishing attack on August 11. A thorough investigation took nearly five months, with over 8,000 hours spent analyzing electronic records.
Information Compromised
The breached information potentially includes:
- Dates of birth
- Phone numbers
- Annual income details
- Social Insurance Numbers
- Government-issued ID numbers
- Investment account numbers
- Account statements
However, CIRO clarified that no login credentials, such as passwords or security questions, were compromised in the breach.
Regulatory Response and Current Actions
CIRO’s CEO, Andrew Kriegler, expressed regret over the incident and emphasized the regulator’s commitment to transparency and accountability. He assured stakeholders that there is currently no evidence indicating the exposed information has been misused.
As part of its response, CIRO has enhanced its cybersecurity measures to bolster defenses against future attacks. The organization also holds the responsibility of overseeing investment dealers and mutual fund activities across the nation.
Notification Process
Approximately 750,000 affected clients will receive notifications via mail or email alerting them of the breach. CIRO plans to offer two years of credit monitoring and identity theft protection through Equifax and TransUnion, though physical notifications may take several weeks to reach individuals.
Last fall, CIRO had initially estimated the breach affected a smaller group, sending around 400,000 notifications to financial advisers and executives. Recent findings revealed a much larger impact.
Potential Legal Action
In light of the breach, a former investment adviser has initiated a class-action lawsuit against CIRO, alleging negligence in their notification timing. The lawsuit claims CIRO should have acted more swiftly, given their access to necessary contact details. The suit is currently unapproved.
The advisor claims to have received notification 42 days after the incident, arguing that the delay heightened risks of fraud and identity theft for those affected. The legal document requests minimum damages of $1,000 per affected member.
In response to the lawsuit, CIRO maintains that it acted appropriately and within the bounds of its responsibilities by comprehensively investigating the breach before notifying stakeholders.
CIRO continues to monitor the situation closely while upholding its commitment to protecting the privacy and security of Canadian investors.
