In October 2025, Canadian Tire, a major player in the Canadian retail industry, faced a significant data breach affecting over 38 million customer accounts. The breach, identified on October 2, involved unauthorized access to sensitive data within their e-commerce database, raising concerns about customer privacy and data protection.
Details of the Breach
The breach primarily targeted the e-commerce databases of Canadian Tire and its subsidiary brands, including SportChek, Mark’s/L’Équipeur, and Party City. The compromised information encompassed basic personal details such as names, email addresses, and encrypted passwords. In some instances, the breach also exposed partial credit card details, although fewer than 150,000 accounts had date of birth information compromised.
Canadian Tire assured its customers that despite the breach, the stolen passwords and credit card data were not sufficient to enable unauthorized access to accounts or fraudulent transactions. The company confirmed that no Canadian Tire Bank or Triangle Rewards program data was compromised during the incident.
Impact and Notification
This week, the breached data was listed on the data breach notification platform, Have I Been Pwned, which reported that approximately 42 million records had been compromised. The leaked data included 38.3 million email addresses, along with additional details such as addresses, phone numbers, and gender information.
Security measures were in place, as passwords were stored using PBKDF2 hashing. Nonetheless, the breach also involved dates of birth and partial credit card information for a subset of records, including card type, expiry dates, and masked card numbers.
Response and Future Actions
Canadian Tire has reached out to the affected individuals through email notifications. However, the company has not yet disclosed the total number of impacted customers publicly. Efforts to contact Canadian Tire for further comments are ongoing, with updates anticipated as more information becomes available.
As the situation evolves, this incident underscores the critical importance of robust cybersecurity measures in protecting customer data. Companies must remain vigilant against potential threats, ensuring that sensitive information is safeguarded against unauthorized access.
