Toys "R" Us Canada has notified customers of a data breach it says may have compromised their personal information.
In an email sent to shoppers Thursday morning, the toy store said it learned on July 30 that someone had posted information on the "unindexed Internet" they claimed to have stolen from the business's databases.
It's unclear whether Toys "R" Us Canada was referring to the deep web, a part of the internet which is difficult to access because it is not indexed by search engines, or the dark web, which is accessed through software and is often a haven for criminal activity.
The company did not immediately respond to a request for comment on the breach email or explain why it took so long to notify customers of the incident. The Office of the Privacy Commissioner of Canada's website says the law requires companies to notify individuals whose personal information may have been breached "as soon as feasible."
However, its message to customers said after being notified that information believed to be linked to the company was circulating online, Toys "R" Us Canada hired cybersecurity experts to investigate. They eventually confirmed the records had been copied by an unauthorized third party.
The company said the breached records may include the names, addresses, emails and phone numbers of customers.
It said no passwords, credit card details or similar confidential data were involved in the incident and the company has not seen evidence that any of the information compromised was misused.
"We regret any inconvenience or concern this incident may cause you," the email from Toys "R" Us Canada said.
"We are committed to further improving our security and are working continually to upgrade our systems to prevent a similar incident from happening again."
The company added that it is in the process of reporting the incident to privacy regulators and has engaged with legal counsel to assist in this process.
It urged customers to avoid responding to any "unexpected" or "unsolicited" emails or text messages purporting to be from Toys "R" Us. The messages could be fraudulent, the company said.
It also advised shoppers not to click on links or download attachments from suspicious emails and said they should watch out for phishing and spoofing attempts.
Phishing is when scammers impersonate trusted people or website login forms to get victims to input or reveal sensitive information like passwords or credit card numbers.
Spoofing is when someone falsifies information such as an email address or phone number to appear trustworthy.
For example, Toys "R" Us Canada said an email from a spoofer may appear to come from “John Doe Inc.;” however, the sender’s email address may contain an extra symbol or letter different from the genuine business email address.
Cybersecurity issues have been reported this month at Canadian Tire Corp. Ltd. In the last year, breaches also ensnared Nova Scotia Power, the College of New Caledonia in Prince George, B.C., and PowerSchool, the maker of education software used by many schools.
Statistics Canada data show the number of police-reported cybercrimes in the country hit 92,567 last year, up from 65,141 in 2020. Fraud alone made up 46,301 of those crimes, while identity theft accounted for 957 and identity fraud 4,283.
This report by The Canadian Press was first published Oct. 23, 2025.
