Canadian Tire Corporation (CTC) confirmed on October 2, 2025 that a significant data breach had compromised between 38 and 42 million customer accounts across its family of retail brands. The breach represents one of the largest consumer data exposures in Canadian history by sheer volume of records affected, touching customers of Canadian Tire, SportChek, Mark's/L'Equipeur, and Party City Canada.
What Happened
The breach was detected on October 2, 2025 when CTC's security operations team identified anomalous data access patterns within the corporation's centralized customer database. An investigation revealed that unauthorized actors had gained access to customer account records spanning multiple retail brands under the CTC umbrella.
CTC moved quickly to contain the breach and engaged external cybersecurity forensic specialists to determine the full scope of the compromise. The company has not yet publicly attributed the attack to a specific threat actor or disclosed the precise method of initial access.
Data Exposed
The compromised data across the 38-42 million accounts includes:
- Full names and residential addresses
- Email addresses and phone numbers
- Year of birth (fewer than 150,000 accounts had full date of birth exposed)
- Encrypted (hashed) passwords
- Truncated credit card numbers (last four digits only)
CTC emphasized that Canadian Tire Bank and Triangle Rewards financial accounts were not affected by the breach, as they operate on separate, isolated systems. Full credit card numbers, CVVs, and banking information were not compromised.
Which Brands Were Affected
The breach impacted customers across CTC's retail ecosystem:
- Canadian Tire - Canada's iconic general merchandise retailer
- SportChek - Canada's largest sporting goods retailer
- Mark's / L'Equipeur - Workwear and casual clothing retailer
- Party City Canada - Party supplies and seasonal merchandise
Any customer who created an online account with any of these brands may be affected. The centralized customer database architecture meant a single point of compromise had cascading effects across all brands.
Canadian Tire's Response
CTC has taken the following actions in response to the breach:
- Contained the breach and secured the affected systems
- Notified the Office of the Privacy Commissioner of Canada
- Began sending TransUnion credit monitoring notifications to affected customers
- Forced password resets across all affected brand accounts
- Engaged external forensic investigators to conduct a comprehensive review
- Confirmed that Canadian Tire Bank and Triangle Rewards systems were unaffected
What Customers Should Do
CyberSafe recommends the following steps for customers of any CTC brand:
- Change your password immediately on all CTC brand accounts and any other accounts where you used the same password
- Enable multi-factor authentication wherever it is offered
- Enroll in the TransUnion credit monitoring service if you receive a notification
- Be alert for phishing emails impersonating Canadian Tire, SportChek, Mark's, or Party City
- Monitor your credit card statements for unauthorized charges, even though only truncated numbers were exposed
- Report any suspicious activity to the Canadian Anti-Fraud Centre
Retail Cybersecurity Implications
The Canadian Tire breach illustrates the amplified risk of centralized customer databases in multi-brand retail environments. While consolidating data systems creates operational efficiencies, it also creates a single high-value target that, if breached, can affect tens of millions of customers simultaneously.