Cyberattack Exposes Contact Information in Canadian Federal Agencies

In early September 2025, the Canadian federal government confirmed that a cyberattack had compromised certain contact information associated with individual accounts across multiple departments. Specifically, email addresses and phone numbers linked to the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and the Canada Border Services Agency (CBSA) were accessed by unauthorized actors. The breach was not the result of a direct hack into the agencies themselves but stemmed from a vulnerability in the multi-factor authentication (MFA) service used by these government bodies.

The root cause of the incident was traced to a routine software update applied to the MFA service provided by 2Keys Corporation, a third-party authentication provider. The update, which was implemented between August 3 and August 15, inadvertently introduced a weakness into the system. Malicious actors exploited this vulnerability to access contact data. The breach was discovered on August 17 by 2Keys, who immediately alerted federal authorities, prompting a full-scale investigation and response effort. As a precautionary measure, the MFA service was temporarily taken offline and later restored after security patches were applied.

Cyberattack on the Federal Government: Current Status and Privacy Implications

According to officials, the information accessed included phone numbers connected to CRA and ESDC accounts, and email addresses tied to CBSA accounts. While this may seem limited in scope, the implications are significant, particularly in terms of phishing and social engineering risks. Fortunately, there is currently no evidence that more sensitive personal data—such as Social Insurance Numbers, financial records, or home addresses—was accessed. However, the government has urged all affected individuals to remain cautious and to report any suspicious messages or unauthorized attempts to access their accounts.

Already, there have been reports of targeted spam messages being sent to some of the affected phone numbers. These messages often contain malicious links that mimic official Government of Canada websites in an attempt to harvest more information. As a result, individuals are strongly advised to verify the legitimacy of any communication purporting to be from a federal agency and to avoid clicking on suspicious links. It is also recommended that users enhance the security of their accounts by enabling updated MFA options and using separate authentication apps or physical security keys where available.

Government Response

The government’s response to the breach has involved external cybersecurity experts and a comprehensive review of the impacted systems. The restored MFA service has undergone additional scrutiny to ensure its reliability. Beyond the immediate response, the incident has raised broader concerns about the reliance on third-party providers for critical security infrastructure. It underscores the importance of rigorous vendor oversight, robust patch management, and more secure software update mechanisms.

Moving forward, the federal government is expected to conduct system-wide audits to assess other potential vulnerabilities that may exist across departments. There are also calls for stricter cybersecurity standards for third-party contractors like 2Keys, whose services underpin essential citizen-facing infrastructure. Transparent communication with the public, robust data protection policies, and continuous improvements to digital defenses will be crucial to restoring public trust in federal online services.

Conclusion

While the exposed data was limited to email addresses and phone numbers, the breach serves as a stark reminder of how even seemingly benign information can be weaponized in today’s digital landscape. Cybersecurity is no longer just about protecting sensitive financial or identity data; it’s about securing all digital touchpoints that can be leveraged for malicious purposes.