Old or incomplete information is preventing CIRO from providing advisors with the names of clients hit by data breach
CIRO is unable to inform advisors which clients were affected by a data breach due to incomplete or outdated client information.Summary
The Canadian Investment Regulatory Organization (CIRO) is facing challenges in notifying financial advisors about clients impacted by a data breach affecting approximately 750,000 investors. CIRO president Andrew Kriegler explains that the information linking affected clients to their advisors is either incomplete or potentially outdated, making accurate notification impossible. The breach, which occurred in August 2025, exposed client data related to accounts opened years ago, raising concerns about whether clients are still with the same firms or if the accounts are still active.
While CIRO has sent letters to potentially affected investors offering credit monitoring and identity theft protection, advisors are reliant on clients to self-report if they received a notification. Some advisors, like John De Goey, have only heard from a small number of affected clients, raising concerns that many more may be unaware. CIRO has advised advisors to direct client inquiries to its website or call centre and to avoid speculation.
CIRO has faced criticism for the delay in sharing information about the breach, with some, like Scott Sather, questioning the regulator’s credibility. Furthermore, two class-action lawsuits have been filed against CIRO in British Columbia and Quebec related to the data breach, but CIRO has declined to comment on ongoing legal matters.
(Source:The Globe and Mail)