Were You Impacted By the Toys "R" Us Breach?

As first reported on October 23rd, 2025, Toys "R" Us Canada has notified customers of a data breach it says may have compromised their personal information.

In a recent email sent to customers, the toy store said it learned on July 30th, 2025 that an unidentified individual had posted information on the "unindexed Internet" claiming to have stolen from the business's databases.

At the time of publication, it is currently unclear whether Toys "R" Us Canada was referring to the deep web (a part of the internet which is difficult to access because it is not indexed by search engines), or the Dark Web, which is accessed through software and is often a haven for criminal activity.

What PII Was Compromised in the Toys "R' Us Breach?

In its statement emailed to customers, Toys “R” Us says the cybersecurity team discovered that those who gained unauthorized access to its systems “copied certain records from our customer database, which contains personal information.” However, the company emphasizes that “no passwords, credit card details or similar confidential data” was exposed in the incident.

The company said that, instead, breached records may include the names, addresses, emails, and phone numbers of customers.

"We regret any inconvenience or concern this incident may cause you," the statement continues. "We are committed to further improving our security and are working continually to upgrade our systems to prevent a similar incident from happening again."

Toys "R" Us representatives added that it is in the process of reporting the incident to privacy regulators and has engaged with legal counsel to assist in this process. The Office of the Privacy Commissioner of Canada's website says the law requires companies to notify individuals whose personal information may have been breached "as soon as is feasible."

FIPAA: What to Know About Canadian Breach Disclosures

Effective July 1st, 2025, the Freedom of Information and Protection of Privacy Act (FIPPA) requires provincial institutions to report certain privacy breaches to the Information and Privacy Commissioner of Ontario (IPC) and notify affected individuals of those breaches, as soon as feasible after the institution determines that the breach occurred.

The Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) has not been amended to include the same breach-related requirements as FIPPA. However, MFIPPA institutions should proactively adopt these new obligations to strengthen privacy protections for individuals, support compliance with other legal requirements, and prepare for potential equivalent changes to MFIPPA.

Vito Pilieci, a spokesperson for the Office of the Privacy Commissioner of Canada, said in an email to MSN that the organization is aware of the breach and has reached out to Toys “R” Us Canada to obtain more information and determine next steps.