Top Bay Street executives are receiving notifications that their personal information may have been accessed during a recent data breach at Canada’s investment industry regulator.

On Tuesday, the Canadian Investment Regulatory Organization began to send out letters to its member firms and registered individuals to alert them that their personal data may have been breached on Aug. 11 when hackers targeted the self-regulatory organization.

CIRO spokesperson Sean Hamilton confirmed to The Globe and Mail that letters are being sent out to all current and former registrants of member firms, informing them about the cyber incident and how they can protect themselves.

The list of those being notified not only includes financial advisers, but other roles that also require registration with CIRO, he added, including executives, supervisors, traders or investors – which could be someone who owns equity in a registered company.

What CIRO’s new proficiency requirements mean for advisors at investment dealers

The various levels of registration mean some of the biggest names in Canada’s financial services sector are among those at risk, including executives at Bank of Montreal, Bank of Nova Scotia, Canadian Imperial Bank of Commerce, Royal Bank of Canada and Toronto-Dominion Bank.

Many of the banks’ senior level executives who currently work – or even previously worked – in capital markets, wealth management and investment brokerages are among those receiving CIRO letters.

Several of Canada’s independent wealth management firms and their senior executives are also registered with CIRO, including Richardson Wealth, Wellington Altus and Canaccord Genuity Group Inc.

The regulator said the information that could have been accessed included personal names, residential addresses, e-mail addresses and telephone numbers, as well as birth dates and places of birth. Bank account numbers could have been breached if they were included as part of a financial solvency disclosure, as well as investment and beneficiary information, if included as part of disclosures about ownership in securities and derivatives.

Other details that may have been accessed include civil and criminal disclosures, investigation notes and passport information for non-Canadian citizens.

Canadian coalition of banks, businesses and other groups launches program to tackle scams

CIRO confirmed that social insurance numbers and credit card or payment information were not disclosed in the breach.

It identified the cybersecurity threat last month and, as a precaution, “proactively” shut down some of its systems to ensure their safety and immediately started an investigation. But the regulator only began sending letters on Sept. 9 to notify firms and individuals whose data could have been accessed.

Many senior executives are registered with CIRO as the company’s ultimate designated person, or a UDP – an individual who is responsible for overseeing the firm’s compliance obligations.

That person may be a chief compliance officer, but could be the company’s chief executive, chief financial officer or chief operating officer, among other roles.

Canada’s biggest banks have layers of senior executives registered with CIRO because the banks’ trading platforms, capital market operations and wealth management arms typically register as separate entities.

Some senior executives also received a letter about the data breach if they were formerly registered due to a previous role that was under CIRO regulation – or even if they worked at another CIRO member company during their career.

Spokespeople at BMO, Scotiabank, CIBC, RBC and TD Bank all declined to comment.

Canadian Bankers Association spokesperson Nathalie Bergeron said the organization and its member banks are aware of the recent CIRO cybersecurity incident.

“While the incident did not occur on member systems, we are working closely with CIRO to understand the impacts,” she said in an e-mail. “Our members’ primary focus is on the safety and security of personal information.”

CIRO said Canadians’ individual investments are not at risk due to the breach.

The regulator only receives information about a sample of investors through its member compliance functions. If the investigation reveals that any investor’s information was affected, CIRO said it will notify them immediately and provide risk mitigation services.