Last month, the Canadian Investment Regulatory Organization announced that about 750,000 investors may have been affected in a data breach last summer.Cole Burston/The Globe and Mail
Canada’s investment industry regulator says it can’t tell financial advisors which of their clients may have been affected by a data breach last year because the information linking affected clients to advisors and dealers is incomplete or potentially dated.
“Giving incorrect, incomplete, fragmented information is not helpful,” says Andrew Kriegler, president and chief executive officer of the Canadian Investment Regulatory Organization (CIRO).
“It actually puts firms in a difficult position; it would put advisors in a difficult position; and frankly, it has the risk of raising or augmenting concerns among the public where it’s not necessary.”
Some of the data exposed in the August, 2025, breach relates to accounts clients might have opened years ago, meaning CIRO can’t be sure if the client is still with the same firm, advisor, or if the account still exists, Mr. Kriegler says.
CIRO began sending letters to registered individuals last September, alerting them that their personal information may have been breached in August.
In January, the regulator announced the breach was far more extensive than originally believed, with hackers accessing clients’ personal information and account numbers.
CIRO began sending letters to around 750,000 investors who may have been affected by the data breach, offering two years of credit monitoring and identity theft protection services.
However, advisors won’t know if clients were affected unless clients tell them.
John De Goey, portfolio manager with Designed Securities Ltd. in Toronto, says he’s received two calls from clients who received letters from CIRO that their data has been breached.
“For all I know, all of my clients could have gotten [a letter from CIRO] and they just didn’t contact me,” he says.
One client, a family member, wondered if the letter was a scam, he says, while the other client just wanted more information.
On Feb. 4, CIRO sent dealers an “Advisor FAQs” document intended to help advisors field questions from clients.
In the document, CIRO tells advisors there’s no need to notify clients about the breach proactively. However, if clients ask, advisors should direct them to resources on CIRO’s website or to its call centre.
CIRO also asks advisors to refrain from speculation or from providing information inconsistent with CIRO’s official communications on the breach so as not to increase client anxiety.
The advisor and other registrant data breached last year were from a structured database, allowing CIRO to identify and notify affected individuals more easily in the fall, Mr. Kriegler says.
However, breached client information was “not in a structured form.” A third-party forensic IT investigator had to comb through it and identify potential personal information exposed.
“When we were sure we had it all, that’s when we went out in January with the second press release to say individual data was also affected,” Mr. Kriegler says.
Scott Sather, a financial planner and founder of Awaken Wealth Management Ltd. in Regina, says none of his clients have contacted him about receiving a CIRO breach letter, but he received a notification last year as a registrant.
Mr. Sather said in a message he sent to The Globe through LinkedIn that the regulator took longer than it should have to share information about the breach.
“It kind of undermines some of [CIRO’s] credibility for advisors and clients,” he wrote in response to a question from The Globe.
On Tuesday, an investor and a former investment advisor filed a proposed class-action lawsuit in a British Columbia court against CIRO. It’s the second class action related to the breach.
Last fall, another former investment advisor who was contacted about the data breach filed a proposed class-action suit in a Quebec court against CIRO.
When asked about the lawsuits, Mr. Kriegler said it wouldn’t be appropriate for him to comment on matters before the courts.