The organization notes that it spent over 9,000 hours investigating the incident and found no evidence that the stolen data has been misused or published on the dark web.
However, to help mitigate the risks, CIRO will be providing all affected investors with a free-of-charge two-year credit monitoring and identity theft protection service.
Gotta love this whole schtick, “oopsie! We weren’t careful enough with your personal info–here’s a voucher for free protection after the fact, because we failed to provide it to you when it mattered” (with the connotation that you should have taken them up on that free protection last time a corp accidentally shared your personal data with the world, and perhaps you wouldn’t be in this mess!)
…and that’s it! Business as usual after nearly a million people have their personal info compromised. As long as this is the punishment, it’s simply a business expense at worst.