Following a data breach last summer at the Canadian Investment Regulatory Association, clients should watch for scammers posing as CIRO, the credit bureaus, dealer firms and even individual advisors.Adrien Veczan/The Canadian Press
Advisors, be prepared: Around 750,000 Canadian investors are getting letters from the Canadian Investment Regulatory Organization (CIRO) about a data breach it disclosed last summer. That could spark calls from clients worried about their personal data.
While login credentials and personal identification numbers were not exposed, plenty of information was: dates of birth, phone numbers, annual income, social insurance numbers (SIN), government-issued ID numbers, investment account numbers and account statements, among other details.
Not everyone who calls will have received the same letter. Jean-Paul Bureaud, executive director of investor advocacy organization FAIR Canada, spoke with one investor who only had their name and address exposed; for another, it was their SIN. A CIRO spokesperson confirmed investors got specific letters based on their situation.
Don’t wait for calls to arrive
Claudiu Popa, founder of Toronto-based cybersecurity consultancy Datarisk Canada, recommends an internal meeting so that everyone at the firm answering the phone has the same message. They should know what happened, what clients should do today, and what to expect next.
Then, reach out before clients come to you. “A short note can prevent bad decisions,” Mr. Popa says.
For its part, CIRO is asking advisors who receive questions from clients to direct those clients to the regulator.
Clients aren’t looking for technical depth, says mathematician and AI scientist Jeremy Samuelson, who leads AI research at Integrated Quantum Technologies.
“They just need to know that their advisor understands the difference between necessary operational access to data and unnecessary data exposure,” says Mr. Samuelson, who previously built systems to help detect identity fraud at Equifax Inc.
What to know about the breach
CIRO is providing two years of free credit monitoring through Equifax and TransUnion. Chief executive Andrew Kriegler told the Globe last month that the organization has been monitoring for any malicious activity closely and there’s no evidence the information has been misused or exposed on the dark web.
Experts warn that monitoring won’t be enough for everyone. While inconvenient, victims can change compromised phone numbers or e-mail addresses, Mr. Bureaud points out. “But you only have one SIN number in your lifetime.” For those whose SIN was part of the breach, the risk persists indefinitely.
Mr. Samuelson says credit monitoring doesn’t address all the ways breached data can be reused over time. Exposed information may be combined with other data sources, including innocuous-seeming social media posts, to help scammers dupe their victims, he adds.
Mr. Samuelson recommends using a password manager, with each password unique and difficult to guess, and enabling multi-factor authentication on banking and brokerage accounts.
Mr. Popa also advises turning on login and transaction alerts for online services. And clients should set a “no surprises” rule with their advisor, preventing major account changes without callback verification.
Credit freezes are a limited option. Quebec is the only province where consumers can request one, although British Columbia and Ontario are in the process of making them available.
Brace for impersonation
Mr. Popa says he expects impersonation attacks to follow the notification letters. Clients should watch for scammers posing as CIRO, the credit bureaus, dealer firms and even individual advisors.
Mr. Bureaud warns specifically about fraudsters claiming to follow up on credit monitoring enrollment, pressuring people to act quickly or risk losing their protection.
Mr. Popa offers a simple rule advisors can pass along: don’t authenticate yourself to an inbound caller. Authenticate the caller. Hang up and call back using a number you trust.
Advisors should also tighten their own verification routines, he says. After a breach this rich in personal detail, scammers may know enough to pass the kind of identity checks using dates of birth, addresses and account numbers that advisory practices might traditionally rely on.
The core message for clients should be not to click links in unexpected messages claiming to be about the CIRO incident, he says. Instead, call the advisory practice using the number on file.
Reassure, but don’t overpromise
When clients ask what’s being done to protect their data, advisors should reassure them by discussing security measures at a high level, Mr. Samuelson says. Advisors should be able to say they limit who can access raw client data, minimize how often data is handled directly, and use systems and processes to reduce exposure.
That framing points to the broader lesson Mr. Samuelson draws from the incident: Data breaches should be treated as a fact of life, not a rare failure. Advisors who design their systems to limit damage will earn client trust. Assuming nothing will go wrong is not a viable option.