News

Toys “R” Us Canada Confirms Customer Data Leak After Cyber Attack

Published

1 day ago

October 24, 2025

Toys “R” Us Canada has confirmed that customer data was stolen and leaked online after a cyberattack, exposing personal information of shoppers across the country. The company said it discovered the breach when threat actors posted stolen data on the dark web in late July 2025.

Company Confirms Breach After Dark Web Leak

The toy retailer said it first became aware of the issue on July 30, 2025, when cybercriminals uploaded what they claimed was customer data to an unindexed part of the internet. An internal review later confirmed the leaked information was authentic, prompting the company to send data breach notices to affected customers.

In a letter to customers, Toys “R” Us Canada stated, “We immediately hired third-party cybersecurity experts to assist with containment and to investigate the incident.” The investigation revealed that unauthorized actors had copied certain customer records from its database.

What Information Was Exposed

The leaked information varies by individual, but could include:

Full name
Physical address
Email address
Phone number

The company emphasized that no account passwords, credit card information, or other financial data were exposed. This means that while sensitive personal details have been compromised, customers’ payment information remains secure.

A spokesperson familiar with the matter said the company believes the attackers accessed a segment of its customer database that stored contact and order details. No evidence has surfaced indicating deeper access into its financial systems.

Cybersecurity Measures and Investigation

After confirming the breach, Toys “R” Us Canada brought in independent cybersecurity specialists to contain the attack, secure compromised systems, and strengthen digital defenses. The company said it has since implemented additional network monitoring and enhanced its system authentication processes to prevent similar incidents.

The retailer operates 40 stores across Canada and is a well-known subsidiary of Toys “R” Us. It has informed the Office of the Privacy Commissioner of Canada (OPC) and other relevant provincial authorities about the data breach, as required under the Personal Information Protection and Electronic Documents Act (PIPEDA).

A summary of key actions taken by Toys “R” Us Canada following the breach is presented below:

Response Step	Description
Incident Detection	Leak discovered on dark web on July 30, 2025
Containment	Engaged cybersecurity firm to investigate
Customer Notification	Issued breach notices to affected users
Regulatory Reporting	Contacted Canadian privacy regulators
Security Upgrades	Enhanced IT systems and monitoring tools

Experts Warn of Possible Phishing Risks

Cybersecurity experts warn that exposed data like names and contact details could be misused by fraudsters. Attackers often use such information to craft realistic phishing emails or text messages that trick users into revealing additional sensitive details.

Toys “R” Us Canada advised customers to stay alert for any unsolicited communication that appears to come from the company, especially those requesting login details or financial information. “Do not click links or open attachments from suspicious messages,” the company’s notice said.

Security professionals recommend that affected users verify any Toys “R” Us-related communications directly through official channels, rather than responding to unexpected calls or emails.

Data Breaches Becoming More Common in Retail

This breach adds Toys “R” Us Canada to a growing list of retail brands hit by cyberattacks in recent years. The retail sector has become a key target for hackers seeking customer data to sell on the dark web. According to a 2025 report by Canada’s Cyber Centre, over 60 percent of retail businesses faced at least one attempted intrusion last year, driven by the rapid digitization of sales and customer service.

The same report found that personal contact information and loyalty data are the most frequently stolen assets, as they can be used in identity theft or phishing schemes.

Retailers are under increasing pressure to modernize their cybersecurity measures as more transactions move online. Experts say small and medium-sized chains, in particular, often lack the dedicated resources to combat evolving threats.

Toys “R” Us Canada Working to Restore Trust

The company says it is committed to rebuilding customer confidence after the breach. It plans to introduce stricter access controls, conduct regular system audits, and expand cybersecurity training for employees.

While the investigation continues, the number of customers affected has not yet been disclosed, and the company has not commented on whether the attackers demanded a ransom.

Toys “R” Us Canada stressed that protecting customer information remains its highest priority and said further updates would be shared as the situation develops.

The company’s swift response and transparent communication have drawn some praise from cybersecurity experts, though they note the incident underscores how even established brands remain vulnerable in today’s digital economy.

As the investigation unfolds, Canadian shoppers are reminded to stay vigilant and monitor their email accounts for any suspicious activity.

The breach has sparked growing discussion among parents and shoppers online, with many calling for stronger corporate data protection standards in Canada.

What’s your take on this data breach? Should retailers face stricter accountability for customer privacy? Share your thoughts and spread awareness on social media.