Toys “R” Us Canada has begun notifying customers about a data breach that compromised a portion of its customer database. The incident came to light on July 30, 2025, when the retailer discovered a dark web post claiming to contain customer records stolen from its systems. In a letter sent to those affected, the company acknowledged that an “unauthorized third party copied certain records from our customer database which contains personal information.” The confirmation followed an immediate investigation conducted with the help of third-party cybersecurity experts.
The company’s investigation confirmed that the leaked information was authentic, though the exact types of data exposed vary per individual. The information potentially compromised includes a customer’s full name, physical address, email address, and phone number. However, Toys “R” Us Canada was quick to emphasize a critical point: highly sensitive data like account passwords, credit card information, or other similar confidential data were not exposed in the incident. This limits the immediate risk of financial fraud related to payment details.
A subsidiary of the international brand, Toys “R” Us Canada operates 40 stores nationwide, selling a range of products including toys, video games, and clothing. Following the discovery of the breach, the toy chain has taken steps to enhance its digital security. Under the guidance of its cybersecurity consultants, the company has implemented upgraded security measures across its IT systems to prevent a similar incident in the future. The firm is also currently in the process of notifying the applicable privacy regulatory authorities in Canada, fulfilling its legal obligation regarding the data exposure.
As the company manages the aftermath, notification recipients are being urged to take proactive steps to protect themselves. The primary advice is to remain vigilant for phishing attempts and unsolicited communications that may falsely claim to be from the retailer and request personal information. Customers should ignore unexpected communications and never respond to requests for sensitive data.
The full scope of the breach remains unclear. When asked for more details about the threat actor, the total number of customers exposed, and whether a ransom demand was made, the company had not provided a response at the time of publication. Regardless of the unanswered questions, this incident serves as a clear reminder for all customers to practice strong cyber hygiene and monitor for suspicious activity, especially for unsolicited emails or messages.
Reference:
