Open this photo in gallery:
The Canadian Investment Regulatory Organization says it will be notifying 750,000 clients affected by a data breach that occurred last summer.Nathan Denette/The Canadian Press
Canada’s investment industry regulator says a data breach it disclosed last summer was far more extensive than originally believed, with hackers accessing personal information and account statements of 750,000 investors.
The Canadian Investment Regulatory Organization announced on Wednesday that it has started sending notifications to investors about the breaches. It said the full scope of the “sophisticated phishing attack” on Aug. 11 came to light after a lengthy investigation, involving more than 8,000 hours of sifting through electronic records.
CIRO said information that may have been accessed includes dates of birth, phone numbers, annual income, social insurance numbers, government-issued ID numbers, investment account numbers and account statements.
The regulator said it does not collect any account login details, such as passwords, security questions and PINs and “that information was not at risk.”
“We deeply regret this occurred and apologize for any inconvenience or concern,” CIRO chief executive Andrew Kriegler said in a statement.
Microsoft seizes domains of online service allegedly fuelling cybercrime
In an interview with The Globe, Mr. Kriegler said CIRO has been closely monitoring for any malicious activity and that there is no evidence that the information has been misused or exposed on the dark web.
“We are intent on doing right by those who are personally affected,” Mr. Kriegler said. “We take our public interest role very seriously. Matters of privacy and security are extremely important to us, as are our guiding organizational values of transparency and accountability.”
CIRO is a self-regulatory organization that oversees all investment dealers and mutual fund dealers across the country, as well as all trading activity on Canada’s debt and equity marketplaces. This includes oversight of discount trading platforms for do-it-yourself investors.
On Aug. 11, CIRO identified a cybersecurity threat and, as a precaution, “proactively” shut down some of its systems to ensure their safety and immediately started an investigation. It notified its member firms about the breach 24 hours later.
It retained a third-party forensic IT investigator to determine what information was affected, and a preliminary investigation revealed that registration information for member firms and registered individuals had been accessed, including that of about 100,000 financial advisers.
On Sept 9., the regulator announced for the first time that the data breach had only affected the personal information of its registrants. Previously, CIRO said the data breach had not affected any client information. Approximately 400,000 notifications were mailed out that month.
In addition to notifying financial advisers about the breach in September, CIRO also sent letters to supervisors, traders and many senior-level executives – including CEOs – that are registered with CIRO as the company’s ultimate designated person, or a UDP – an individual who is responsible for overseeing the firm’s compliance obligations.
“We notified law enforcement and all relevant authorities, including privacy commissioners,” CIRO said in a statement on Wednesday.
Fraud group targeting Canadians with toll and parking scams, warns Montreal cybercrime firm
But now, Mr. Kriegler says the full extent of the data breach is much more widespread. He told The Globe that the complexity of the cyberattack meant it took nearly five months to unravel with the help of “world-leading cybersecurity experts.”
Mr. Kriegler said while the public may question the length of time it took to alert investors, CIRO wanted to ensure a comprehensive investigation was concluded, with a complete list of everyone that needed to be notified.
“There was a great deal of what’s called unstructured data, which is all sorts of different file formats and all different mixes of information that is fairly hard to make your way through,” Mr. Kriegler said.
“We suspected there would be some broader data involved, but what we did not anticipate was the scope of it.”
Last fall, CIRO alerted members that the investigation was continuing and that final findings would be released once the review was complete. Since then, the regulator has enhanced its cybersecurity defences and data-security practices to prevent further cyberattacks.
The investigation revealed that not all clients or former clients of CIRO member firms were affected by the breach. About 750,000 affected clients will receive a letter by mail or an e-mail dated Jan. 14, alerting them of the incident. Investors will be offered two years of credit monitoring and identity theft protection from both Equifax and Transunion.
However, mailed letters could take several weeks to arrive, CIRO said.
A former investment adviser, who was contacted last fall about the data breach, has launched a class-action suit against CIRO claiming the regulator was “negligent in choosing to wait over an excessive 30 days” before notifying people affected by the breach.
The class action has not yet been certified. The Globe is not identifying the adviser owing to the risk of the individual’s data being accessed from the breach.
In a court document filed on Oct. 6 with the Superior Court of Quebec, the adviser – who left the industry in 2012 – claims CIRO’s negligence has left those affected at a “greater risk of fraud and identity theft,” and said CIRO had the contact information and financial means to more quickly notify its members.
The plaintiff said he received a notice about 42 days after the data breach occurred. The class action is asking CIRO pay damages of at least $1,000 to each member, plus punitive damages.
“The notices were also faulty in that they did not properly and clearly confirm what information was actually stolen in the context of the Data Breach,” the court document said.
In response to the proposed class action, CIRO spokesperson Sean Hamilton said CIRO collects personal information in the normal course of carrying out its mandate and conducting its registration, investigation, compliance assessment and market regulation work.
“The allegations, which seek to include all Canadians receiving notification that their personal information was affected, are not proven and CIRO is confident in its position that the organization responded in a timely and appropriate manner,” Mr. Hamilton said.
