CIRO cybersecurity incident — For Investors

If you received a letter from CIRO or an email from ciro@notifications.cyberscout.com they are legitimate and it is safe to follow the instructions to register for free credit monitoring and identify theft protection through TransUnion and Equifax.

CIRO will not contact you by text message or through other social media, request access to any of your investment or bank accounts or that you provide information to facilitate access to these accounts, or request payment of any monies.

The Canadian Investment Regulatory Organization (CIRO) is the pan-Canadian self-regulatory body that oversees investment and mutual fund dealers in Canada. We have a regulatory mandate to protect investors from improper investment conduct and practices by providing oversight of Canadian investment and mutual fund dealers’ business conduct, including their trading activities.

Only some Canadian investors were impacted by the cybersecurity breach. Individuals impacted by the cyber incident were sent a notification letter by CIRO starting on January 14, 2026 and it may take several weeks for these letters to arrive.

If you received a notification letter from CIRO, then some of your information was impacted by the cyber incident. The notification letter describes the categories of your information that were impacted. We currently have no reason to believe that any of your information has been misused in any way.  As a precaution, however, we are offering impacted individuals credit monitoring and identity theft protection services through TransUnion and Equifax to identify any potentially fraudulent use of your information.

Notification letters started to be sent on January 14, 2026. Notification letters were sent by email or regular mail through Canada Post. Please note that it may take several weeks for these letters to arrive.

Your information was obtained in the normal course of CIRO carrying out its mandate and conducting its investigative, compliance assessment and market surveillance work.

In August 2025, CIRO identified a cybersecurity incident. We took immediate steps to contain the incident, secure our systems and protect the information in our care. We notified law enforcement and all relevant authorities including privacy commissions across Canada. Once contained, we retained a leading third-party forensic IT investigator to determine what information was impacted. After more than 9,000 hours of review, that investigation determined that a limited subset of investigative, compliance and market surveillance data, including some of investor information, was copied from our system.

We deeply regret that this occurred and apologize for any inconvenience or concern.

If you received a notice from CIRO, we recommend that you sign up for the free two-year membership in credit monitoring and identity theft protection services offered to you.

We also always recommend, as a matter of good practice, that you periodically review your investment accounts for any unusual activity and be vigilant about emails, text messages or phone calls asking you to provide sensitive information or to click on links or attachments, even if they appear to come from CIRO or someone you know or trust.

We have been monitoring the dark web and currently have seen no indication that your information has been misused in any way. We are offering free credit monitoring and identity theft protection to impacted individuals as a further precautionary measure and to help detect possible misuse of your information.

We notified impacted individuals as soon as we determined that their personal information may have been impacted. CIRO is committed to protecting the security and confidentiality of the information entrusted to us, and we worked hard to notify impacted individuals as quickly as possible. The forensic investigation into the incident and the data exposed were very complex and required time to determine the impact and individual exposure.

CIRO will delete investor information when no longer required for its investigative, compliance assessment and market surveillance work, however we are unable to process individual deletion requests.

We take data security very seriously. This incident was the result of a sophisticated attack. In response to the specific features of this attack, we have taken several steps to enhance our data security practices. On an ongoing basis, we continue to look for ways to strengthen CIRO’s cybersecurity defences and to examine how we can collectively strengthen defences and cybersecurity best practices across the investment industry.

• If you received a notification letter from CIRO, you can get help signing up for free credit monitoring and identity theft protection by following the instructions in the appendix enclosed in the letter.
• If you received a notification letter from CIRO and have further questions about the cybersecurity incident, please contact us by following the instructions in the letter.
• If you did not receive a notification letter from CIRO, please call 1-877-442-4322, select your language and press #7.

While the letter mentioned the option to "freeze" your credit, this specific service is currently only available to residents of Quebec.

In British Columbia, the provincial government has passed the law to allow for credit freezes, but they have not yet set the date for when credit bureaus must have the service active. We apologize for providing instructions that cannot yet be completed in your province.

How can I protect myself today? Even though a "freeze" is not yet an option in BC, you can still take these three important steps:

1. Enroll in Free Monitoring: Use the activation code in your letter to sign up for the credit monitoring service we are providing. This remains the best way to stay alerted to any activity on your file.
2. Place a "Fraud Alert": You can still contact Equifax or TransUnion to place a "Fraud Alert" on your file. This tells lenders to take extra steps to verify your identity before granting credit.
3. Future Access: Once the BC government activates the credit freeze regulations, you will be able to request a freeze through the credit bureaus.