Canadian Tire says data breach exposed customer passwords and credit card info

If you recently did some online shopping with Canadian Tire, SportChek, Mark's/L’Équipeur, and Party City, your information may have been impacted in a recent data breach.

Canadian Tire Corporation (CTC), the parent company of the stores listed above, notified customers on Tuesday that it had identified a data breach involving customer information in an e-commerce database on Oct. 2, 2025.

The company said the unauthorized activity was limited to that database and did not include Canadian Tire Bank information or Triangle Rewards loyalty data.

"There was no impact on in-store transactions, and all e-commerce systems are operational," stated the notice.

The cyberattack has been resolved, and the database has been secured; therefore, it is currently safe to use CTC websites and accounts.

Information that was affected in the Canadian Tire data breach

According to CTC, the information affected in the cyberattack includes basic personal information for customers who have an e-commerce account with one or more of the following companies: Canadian Tire, SportChek, Mark's/L’Équipeur, and Party City.

Impacted information included name, address, email and year of birth.

"It also included encrypted passwords and, in some cases, truncated (i.e. incomplete) credit card numbers, none of which can be used for account access, transactions or purchases," noted the company.

It added that the affected data included date of birth in the case of less than 150,000 accounts. CTC said it has identified these individual account holders and will contact them in the coming days to provide notification and offer credit monitoring.

It has also reported the incident to privacy regulators.

What should impacted Canadian Tire customers do?

According to an FAQ page for the cybersecurity incident, affected customers will receive an email from TransUnion on behalf of CTC in the next week.

In the meantime, the company said customers don't need to change their passwords. However, it does advise shoppers to use strong and unique passwords.

"Avoid re-using passwords and make sure to enable multi-factor authentication wherever possible," stated the FAQ page.

Canadian Tire also said customers don't need to replace their credit cards because "the data involved did not include full credit card numbers or CVVs."

"In some cases, account information included incomplete credit card numbers, similar to what appears on a store receipt," explained the company. "This cannot be used for account access, transactions or purchases."

Canadian Tire isn't the only major company that has experienced a data breach in recent months.

In August, WestJet announced that it had been hit by a cyberattack that compromised flyers' passport information.

WealthSimple also experienced a data breach in August, which led to a class-action lawsuit filed against the investment service.