DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IIROC notifies investment firms and clients after device with personal information lost (updated)

Posted on April 12, 2013 by Dissent

From their press release of yesterday:

The Investment Industry Regulatory Organization of Canada (IIROC) deeply regrets the accidental loss of a portable device that contained personal information relating to clients of a number of investment firms.  IIROC has taken several measures to notify the firms and their clients and to provide them with support services.

As soon as IIROC learned of the loss, it conducted an internal investigation and retained an independent third-party security expert in forensics to determine what information was contained on the device.

While there has been no indication of third parties attempting to access the information to date, IIROC:

  • Has communicated with the relevant investment firms whose client information was on the device;
  • Is writing to those firms’ clients and providing a comprehensive checklist that includes additional steps clients can take to protect personal information;
  • Set up a dedicated call center, starting Monday, April 15, which will be available from 9 a.m. to 5 p.m. Monday to Friday, to help answer client questions and concerns and, if needed, to walk them through the support materials provided; and
  • Arranged, at no cost to clients, a six-year alert flag to be placed on their credit files through Equifax Canada.

IIROC has strict policies in place that require all information it collects to be protected which should have prevented this unfortunate incident.  IIROC immediately launched a comprehensive review of all its information technology and business policies, procedures and protocols in order to reinforce existing security controls.

“IIROC deeply regrets this unfortunate but isolated incident and apologizes for the disruption caused to clients and the affected firms. The protection of confidential information is critical to us and we have taken steps to address the situation and to immediately strengthen our internal controls,” said Susan Wolburgh Jenah , IIROC CEO and President.

IIROC has notified the relevant privacy commissioners.

IIROC will publish updates and other information that may be helpful on its web site at www.iiroc.ca.

***

IIROC is the national self-regulatory organization which oversees all investment dealers and trading activity on debt and equity marketplaces in Canada.  Created in 2008 through the consolidation of the Investment Dealers Association of Canada and Market Regulation Services Inc., IIROC sets high quality regulatory and investment industry standards, protects investors and strengthens market integrity while maintaining efficient and competitive capital markets.

IIROC carries out its regulatory responsibilities by creating and enforcing rules regarding the proficiency, business and financial conduct of dealer firms and their registered employees and through the creation and enforcement of market integrity rules regarding trading activity on Canadian marketplaces.

Six years of credit monitoring is unusual.

Disappointingly, the release does not indicate when the loss occurred, when it was discovered, where it happened, and what types of data were on the device.  Hopefully, they’ve been more forthcoming in their notification letter to those affected.  If anyone received a letter from them and can share it, please email it to breaches[at]databreaches.net.

Update: Media reports indicate that 52,000 investors from 32 brokerage firms were affected, but it is still not known what type of device, where it was lost, when it happened, and what types of information were on it and whether there was any encryption.

Update 2:  A reader submitted a copy of the notification letter, which I’ve uploaded here.

Category: Breach IncidentsBusiness SectorLost or MissingNon-U.S.

Post navigation

← Florida Hospital Co. Sued Over Scheme To Sell Patient Info
NZ: Privacy breach over Jesse Ryder's medical files →

2 thoughts on “IIROC notifies investment firms and clients after device with personal information lost (updated)”

  1. Khlav Kalesh says:
    April 23, 2013 at 12:43 pm

    I’ve received a letter regarding the IIROC data loss. Not much more info is provided however I can share.

    I run an e-commerce business and am surprised this data was taken out on a portable device and not encrypted. Our data never leaves the server(s) and/or databases. Even desktop hard-drives which may contain passwords or other secure info are all fully encrypted to secure against theft. Why an organization like this is so off on security/privacy is shocking.

    The best part is this is a regulatory agency put in place under the auspices of security. Lovely…

    1. Dissent says:
      April 23, 2013 at 1:06 pm

      Thanks for submitting the letter, which I’ve added as an update to the post. And yes, it is scary.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.