Listen to this article
Estimated 5 minutes
The audio version of this article is generated by AI-based technology. Mispronunciations can occur. We are working with our partners to continually review and improve the results.
Canada Computers & Electronics continues to investigate a data breach affecting hundreds of people that has left customers frustrated over how the company handled the episode and communicated about it.
“This is something that shouldn’t have happened,” said Eric Pimentel, an IT professional who cancelled a credit card after being warned by the company that he’d potentially been affected — and was later told he was not.
Toronto’s Brad Seward likewise cancelled a card after getting a notification from Canada Computers, before he was advised that he had not been affected.
“It really sounds like this company is all over the place,” Seward said via email.
Canada Computers told CBC News on Tuesday that its “current investigation indicates this incident affected 1,284 customers.”
The Richmond Hill, Ont.,-headquartered retailer previously stated that, on Jan. 22, it learned of a data breach incident involving “unauthorized access to the system supporting our retail website,” which left personal customer information — including credit card information — compromised.
Canada Computers says it took immediate steps to contain the breach. It also notified authorities and launched an investigation. Affected customers were alerted on Jan. 25.
The breach has been reported to the federal privacy watchdog as well as to police in York Region.
Pimentel and Seward are among a half-dozen customers who told CBC News they received notification from the company about the breach and were then subsequently told that was not correct.
The company confirms it sent messaging of this nature out and says it apologizes for the confusion.
“This was a miscommunication,” the company said Tuesday. “Canada Computers sent the original notice to both affected customers and to some who were not impacted. We followed up with [the latter] to confirm that their customer information was not affected.”
The company did not say how many people had received this follow-up messaging.
Breach affected ‘guests’ only, company says
According to the company, the breach affected customers who checked out their purchases as “guests” on its website, and who also entered their personal information, between Dec. 29 and Jan. 22.
Pimentel said he did not check out as a guest. But the company’s explanation has not left him feeling more secure.
“I don’t feel confident at all,” he said, adding that he expects more transparency from a retailer as big as Canada Computers. The company operates more than 30 stores across four provinces, in addition to its retail website.
“It’s not a small mom-and-pop shop in some strip mall,” said Pimentel, who lives in Hamilton, Ont., within driving distance of two of the company’s stores.
Seward similarly said he did not check out as a guest when making his recent at Canada Computers.
And although he was told by the company he was not in the group of affected customers, he said its explanation “didn’t coincide with my experience.”
Thousands of workers’ personal information was sold through the dark web after a data breach at B.C. Interior Health. The agency denied it ever happened. The fifth estate’s Mark Kelley showed up at an industry event to ask the minister in charge about it.
Breaches can go unnoticed for months
Terry Cutler, CEO of Montreal-based Cyology Labs, said cybersecurity episodes of this nature often go unnoticed for months before they are detected.
To his point, IBM publishes an annual report on the costs associated with data breaches. In 2025, it said the global average breach life cycle — the mean time required to identify and contain a breach and then restore services — was 241 days, or roughly eight months.
John Bruggeman, a Cincinnati, Ohio,-based cybersecurity professional with OnX, said there’s been suggestion online that customers may have helped bring the problem to the attention of Canada Computers, which could explain why the window of time the company is citing is relatively short.
Bruggeman noted that the company’s description of the incident suggests its website has a branch that deals with guest checkouts that is distinct from purchases made by users with dedicated accounts.
But both he and Cutler say people making purchases as a guest are probably doing so for practical reasons. Bruggeman said he normally decides whether to check out as a guest based on whether he wants to have further communication with the company.
As for the bigger picture, Cutler said stolen data can have a long shelf life, as “cybercriminals can get to it weeks, months, years later.”
To that end, Canada Computers says it has “provided guidance” to affected customers “on protecting their personal and financial information” and offering them two years of credit monitoring and identity theft protection.