On August 11, 2025, CIRO identified a cybersecurity threat. We can confirm that registration information of CIRO member firms and registered individuals was breached.
While we have no evidence that this information has been misused, we are contacting all impacted individuals and are offering free credit monitoring and identity theft protection services for a period of two years with both TransUnion and Equifax.
We are deeply sorry this occurred. As we continue our investigation and learn more, we will continue to provide updates.
August 18, 2025 - CIRO detects cybersecurity threat
Note: CIRO will never contact you about this event with an unsolicited call or email asking for your personal or financial information.
August 18, 2025. Toronto, ON. On August 11, 2025, CIRO identified a cybersecurity threat. As a precaution, CIRO proactively shut down some of its systems to ensure their safety and immediately started an investigation. Throughout this time, critical functions remained available.
CIRO’s real-time equity market surveillance operations continue as normal, with no active threat in our systems.
The investigation is ongoing and CIRO is working with external cybersecurity and legal experts, and law enforcement.
On August 17, preliminary investigative results indicated that some personal information of member firms and their registered employees was affected. Given the high standard of security that CIRO expects of both itself and its members, we are deeply concerned about this, and know our members will be too. Our priority is to actively investigate which individual registrants may have been affected and once determined, to notify those individuals directly and provide risk mitigation services. More information will be made available in due course.
It is important to note that Canadians’ investments are not at risk. CIRO only receives information about a sample of investors through its member compliance functions. If the investigation reveals that any investor’s information was affected, CIRO will notify them and provide risk mitigation services.
