Last updated 1 month ago
In October 2025, Canadian retail corporation Canadian Tire suffered a data breach exposing approximately 42.3 million records, including 38 million unique email addresses. The breach compromised customer personal information across multiple data categories, though the company confirmed bank account information and loyalty program data remained unaffected. The incident represents one of the largest retail data breaches in Canadian history.
The breach exposed comprehensive customer data including names, phone numbers, physical addresses, and PBKDF2-hashed passwords. For a subset of records, attackers obtained dates of birth and partial credit card information including card type, expiry dates, and masked card numbers. The data exposure creates significant credential stuffing and identity theft risks, particularly given the inclusion of physical addresses and partial payment card data.
Canadian Tire issued a public disclosure notice confirming the breach scope and specifying which data elements were compromised. The company clarified that full credit card numbers, CVV codes, bank account details, and loyalty program information were not impacted by this incident.
Record count revised from 42.3 million to 38 million accounts, representing a 10.1% decrease in the reported affected user count.
The Canadian Tire breach demonstrates that even organizations implementing strong password hashing (PBKDF2) remain vulnerable when attackers gain comprehensive access to customer databases containing multiple personally identifiable information types. Retailers must implement stricter access controls and data segmentation, particularly for sensitive fields like dates of birth and partial payment card data that, when combined with other PII, significantly increase identity fraud risks.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector