Toys R Us Canada Breach, Delayed Customer Notice

Toys "R" Us Canada disclosed that on July 30 it discovered an unauthorized party had copied customer records and posted claimed data on the unindexed internet. The company says exposed fields may include names, addresses, email addresses and phone numbers, and that passwords, credit‑card numbers and similar financial data were not affected. Toys "R" Us Canada retained third‑party cybersecurity experts to contain and investigate the incident, has begun notifying relevant authorities and engaged legal counsel, and says it has not seen evidence the data has been misused. The retailer advised customers to be vigilant for phishing and impersonation attempts and said it is implementing enhanced security measures. Privacy experts and officials noted the company waited nearly three months to inform some customers, raising questions about timeliness under Canadian privacy rules.