- API Penetration Testing

Top 15 Cybersecurity Breaches in Canada

Learn about the state of cybersecurity in the Canada and the 15 biggest breaches in this country.
Compared to 2019 statistics, the frequency of security breaches today has increased by 20%, meaning that every 11 seconds one ransomware attack happens in any part of the world and Canada is no exception.

Although the country ranks 13th in the list of countries in terms of the efficiency of their cybersecurity strategy, the amount of security breaches in Canada still rises from year to year. A whopping 85% of Canadian companies have been affected by cybercriminals in 2021 which is a 7% increase in comparison with 2020.

As the average cost of a data breach for Canadian companies is 5.4 million, both businesses and government take measures to strengthen the cybersecurity on an organizational and national level:

  • A Canadian company spends on average 11.1% of its IT budget on security.

  • The government keeps issuing new legislation such as PIPEDA (Personal Information Protection and Electronic Documents Act) and amendments to the current regulations in order to regulate how companies handle the customer- and business-related data.

Below, we've reviewed the most infamous cybersecurity breaches in Canada you should have heard, analyzing their causes and outcomes for various companies and enterprises.
#1 IKEA's Internal Data Breach Impacted Up to 100,000 Canadians
In May 2022, IKEA confirmed the internal security breach reported between March 1-3 current year, when some of its customers' personal information appeared in a generic search made by an IKEA employee. IKEA Canada PR leader Kristin Newbigging said that the incident hasn't affected the banking or financial information of their clients.

After the breach was detected, the company was reassured that security experts acted quickly to prevent the data leak. So, according to the official announcements, no client data was used, stored, or shared as a result, and no actions are required from the customers' side.

Nevertheless, many cybersecurity experts claim that along with the outside attacks, companies shouldn't overlook insider threats. Only in 2020, the cost of insider threats cost $11.45 million and will keep on increasing in the upcoming years. That is why employees should be limited to accessing solely the enterprise data they need to work with, which is usually neglected by many companies today. Such a precaution can help to secure the internal data yet prevent abusing the privileged access.
#2 Financial Services Firm Exposed Personal Data of Over 10 Million Customers
The infamous privacy breach occurred in June 2019 and spanned nearly two years without being noticed. The security department became aware of it only after the organization had been notified by the federal Privacy Commissioner, according to the report.

According to the commissioner's report, the rogue employee siphoned sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization for at least 26 months. The exposed clients' data included first and last names, dates of birth, social insurance numbers, street addresses, phone numbers, emails, and transaction histories.

Desjardins' settlement will provide compensation for identity theft and loss of time related to the personal information breach, paying up nearly $201 million to settle a class-action lawsuit. As mentioned, the overall number of individuals affected by that privacy breach has reached close to 9.7 million Canadians.

To minimize the risks of collection, storage, transmission, or process of any sensitive data, it is recommended to regularly conduct cybersecurity audits and system testing. This investment might seem unreasonable at first, but can help you to timely identify the problems, as well as determine and eliminate the breach-related vulnerabilities.
#3 Telecom Company Bell Canada Reported About the Largest Customer Data Breach
Multiple attacks were also announced by Bell Canada, one of the largest telecommunications companies in the country. According to the announcement in May 2017, the data affected included close to 1.9 million customer email addresses, as well as 1,700 names and phone numbers. The responsibility for the attack wasn't named, but in the information released it was mentioned the hackers were leaking the information due to Bell's failure to cooperate with them.

Worth mentioning the fact that Bell wasn't announcing the breach immediately upon discovery just to get more details before the official notification to customers. Fortunately, no sensitive personal information, such as financial data or passwords, has been affected. Bell's representatives have been contacting the affected customers directly to notify them about the incident and advise them to regularly change their passwords and security questions, as well as watch out for suspicious emails. Overall, the information theft has affected nearly 1.9 million customers.

Nevertheless, that's not the sole cause of a security breach in Bell Canada. Eight months later the company reported a similar case of a data breach that affected up to 100,000 customers. The exposed information included customers' key personal information, all of which could be sold in underground markets and used for malicious activities.
#4 Home Depot Canada Suffered a Customer Data Leak Following Systems Error
In November 2020, the Home Depot Inc. in Canada started receiving the first reports of the data breach that, according to the official press release, "seems to be the result of an internal system error rather than an external attack". Its customers started receiving reminder emails by mistake for hundreds of orders that were ready to pick up, in some cases users reported receiving up to 1,000 emails per one address or even more. The email content included customer names, email addresses, order numbers, and the last four digits of customer payment cards.

After the confirmation, Home Depot Canada claimed the system error affected a "very small number of customers", but the cause of the data breach was not disclosed. However, regardless of the small scope of affected clients, there is still a huge threat to customer security, as the personal data leak can be gold for a malicious actor. So, personal information like that can be used for a convincing phishing email, clicking on which the affected customers risk becoming victims.
#5 PayPal-owned Canadian Firm TIO Networks Leaked 1.6 Million Clients' Records
Global digital payments giant, in December 2017, reported a potential compromise of personally identifiable information for approximately 1.6 million customers on TIO Networks – a Canadian payments platform owned by Paypal.

After the security system vulnerability was detected, TIO Networks has immediately suspended all the operations of TIO Networks to protect the clients' data and initiated an internal investigation, in which the experts have uncovered multiple cases of unauthorized access to TIO's network, including areas that stored personal information of some of the company's customers and customers of TIO billers. Regarding that, the company contacted all customers, billers, and retailers affected as a result of a leak and claimed to keep them updated about the instructions to secure their personal data.

Fortunately, TIO Networks' and PayPal's systems are completely separate, so the last one's client data remains secure.
#6 TransUnion's Major Data Leak May Have Impacted Over 37,000 Clients in Canada
According to October's 2019 statement, the personal information of about 37 thousand Canadians held by TransUnion may have been compromised in the summer by a third party. The company's spokesperson David Blumberg claimed that the fraudulent access was gained through the login credentials of one of their business customers between June-July 2019. Since the unauthorized access was not the result of a breach or failure of TransUnion's systems or the customer's system, the security breach was detected only a month after.

TransUnion did not disclose what kind of personal information was compromised by the fraudulent login. Still, the credit check by a bank or lender could give access to an individual's name, date of birth, current and former addresses, information on existing credit and loan obligations, credit repayment history, and potentially their social insurance number.

A similar data breach was reported by TransUnion recently before the accident, so, learning from the past experience, the company has immediately notified the clients whose information may have been accessed, as well as the privacy commissioners.
#7 Canada Post Leaked Personal Data & Orders of Thousands of Cannabis Smokers
In November 2018, the Ontario Cannabis Store (OCS), the only legal supplier in the region at the time of that accident, reported about the security accident on their official account on Twitter. The company said hackers accessed the order records of 4,500 customers – it's roughly 2% of the firm's customer base. The compromised information included names or the initials of nominated signatories, postcodes, dates of delivery, OCS reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.

After the breach was uncovered, Ontario Cannabis Store and Canada Post have been working together to investigate the causes, but the failure by Canada Post to inform customers led to the OCS company taking immediate actions to notify the customers.

Regardless of over 1,000 complaints relating to OCS service, billing issues, and late deliveries received by a local ombudsman, the company still insists that the name of buyers, unless they were accepting the delivery, delivery address, and contents of the order and payment details were not compromised.
#8 Nissan Canada Breach Resulted in a Major Leak of Over 1 Million Customers' Data
During the last week of 2017, Nissan Canada Finance (NCF) reported about the unauthorized access dated December 11 current year, in which all the current and former customers may have had their details compromised in a data breach. To tackle all the related questions, the company has released a statement on their website with the details about the breach, which should definitely become a common practice of any reputable company today.

Due to the official announcement, the data breach may have affected customers who financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada. The data that could have been affected in the result covers customer name, address, vehicle information (model, manufacturing date and VIN code), and banking information.

The company responded to a data breach at the highest level: its representatives have contacted Canadian privacy regulators, law enforcement, and leading data security experts to help investigate; the clients have been offered 12 months of credit monitoring services through two national credit bureaus at no cost. Additionally, NCF provided the contact links and the comprehensive knowledge bases for more information about how customers can protect themselves.
#9 Superior Plus, Canadian Propane Distributor, Has Reported a Security Incident
Canada's largest propane distributor with roughly 800,000 customers across the U.S. and Canada has announced a major ransomware attack started on December 12, 2021. To secure the internal system during the attack and start the investigation process, Superior Plus temporarily disabled certain computer systems and applications. Additionally, the company has drafted cybersecurity experts to help deal with the incident and assess the impact of the breach.

The official announcement said that during the investigation process there was no evidence that client security or any personal data had been compromised. However, Superior was unclear about which ransomware group might be behind the attack or which systems were affected. Still, third-party cybersecurity experts warn that the fact Superior has taken certain systems offline is an indication that the attackers were successful.

A similar case happened to Superior's biggest competitor, AmeriGas, which was also impacted by a cyberattack earlier this year. This means that it's never been more important to tighten up and get the security practices right: least privileged and resilient, yet planning for the worst and timely detecting the possible threats.
#10 Over 2.5 Million Canadians' Data from Cosmetics Giant Yves Rocher Potentially Leaked
In September 2019, the personal data of about 2.5 million Canadian customers of cosmetics brand Yves Rocher were left exposed on an unsecured database. Cybersecurity researchers have discovered the system vulnerability was located in the Elasticsearch database, where Yves Rocher clients' data was saved on. According to the primary sources, the data affected include first and last names, dates of birth, phone numbers, email addresses, and zip codes. This security vulnerability enabled third parties to access the API of the internal database used by Yves Rosher employees, with the ability to add, delete, and/or modify said data.

In addition to that, the data exposed also contained gigabytes of internal information, such as store traffic statistics, turnover, order volumes, product details, offer codes, and even ingredients for more than 40,000 retail products. Such a large data leak put the reputation of cosmetics brand Yves Rosher under question, and so was the security of its client data and the company's internal system.
#11 Lifelabs Data Breach Affected Over 15 Million Canadians
The LifeLabs company is the largest provider of medical lab diagnostic services in Canada, so almost half of Canada's total population has had some sort of testing done by this vendor – and that's what makes this security breach stand out from other cases.

According to the news sources, the data breach occurred in October 2019 and is considered to be the largest in Canada in terms of personal record count. The company didn't reveal the ransomware attack until December 17, when the official statement was posted on their website. Having affected the personal information of an estimated 15 million Canadians already (it's nearly 40% of all Canadians), a civil lawsuit introduced in Toronto was seeking a total of $1.14 billion in damages.

In their public statements, LifeLabs indicated they have made a certain sort of payment to retrieve the data, without clarifying the success of this operation and details of the attack. It's worth mentioning that there is still no guarantee that paying a ransom to get the data out of unauthorized hands, so neither the company nor its customers can be entirely sure that copies were not made.
#12 CVS and Walmart Canada Claimed About a Customers' Banking Data Breach
In July 2015, the CVS and Walmart Canada retailers informed that a data breach at their Canadian information technology vendor may have leaked credit card information from their online photo processing websites, possibly compromising data on millions of users. To secure the customer data, retailers have temporarily shut down the online photo processing services and related mobile services and initiated an internal investigation to evaluate the scope of the breach and damages. Additionally, customers have been informed about checking their credit card records for any suspicious activity, but the overall number of affected people remained uncertain.

According to the official information, PNI Digital Media provides not only the hosting services for the photosites and customer payment information. The vendor is also providing software for the online photo processing services of a third retailer, Costco. After the issue was discovered, PNI was additionally investigating a potential credit card data security issue, reassuring the protection of the information is their number one priority.
#13 Panasonic Canadian Operations Confirmed the Data Breach of 2.7 GB
In April 2022, Japanese technology giant Panasonic officially confirmed its Canadian operations were hit by a February cyberattack that affected internal systems, processes, and networks. The company, however, did not confirm whether the incident was the result of a ransomware attack, what data was accessed and how it worked, or what was the scope of the data affected.

The responsibility for the attack was claimed by the Conti ransomware-as-a-service group, saying that they obtained more than 2.7 gigabytes of data from Panasonic Canada. As proof, they've provided a leaked page with Panasonic internal files, spreadsheets, and documents belonging to HR and accounting departments.

Regardless of Panasonic's efforts to restore the operations and data, and continuously improve the security of their internal systems, that's not the first time the company's experiencing a data breach. A similar incident already happened six months ago, in November 2021, when Panasonic confirmed the third party accessed its network and data.

Nevertheless, this company is not alone: according to SonicWall's 2022 Cyber Threat Report, governments worldwide saw a 1,885% increase in ransomware attacks, which only confirms the importance of strengthening cybersecurity precautions.
#14 Canadian Internet Service provider Rogers Communications Suffered from a Massive Data Breach
Toronto-based Rogers – one of Canada's largest telecom providers has confirmed the information about the massive company and client data leak from March 1, 2015, when the group of hackers calling itself TeamHans linked to a dump of allegedly stolen data on Twitter. It is reported that the leaked data includes emails and contact details of 50 to 70 mid-size businesses whose accounts were managed by the targeted Rogers employee. Since the accident, the company hasn't authenticated the security breach, but the leaked Rogers breach report says that "a large number of [the employee's] corporate emails were forwarded to 2 suspicious-looking email accounts on Feb 21st".

According to the information from official sources, a representative of TeamHans said that hackers released the data after an employee whom they had targeted for extortion refused to pay them the bitcoins they were demanding. The approximate sum of ransom – was 70 BTC, which as of the time of the hacking attack was equivalent to about $19,000 U.S. dollars.
#15 National Healthcare Chain Homewood Health Confirmed the Recent Data Breach Hit
On July 19, 2021, stolen documents were put up for sale on Marketo by ransomware. The files appeared to be agreements between Homewood Health and the University of Lethbridge, in addition to a list of persons with a provincial workers' compensation board. The company itself hasn't commented on the accident but confirmed the security breach to CTV news. The responsibility for the data breach has been pinned on Hafnium, a group of state-sponsored Chinese hackers.

Nevertheless, "neither Homewood Health nor its the cybersecurity experts hired have been able to find any evidence of any unauthorized access to any of Homewood Health's client application systems" - the company claimed. Though Homewood Health would not estimate the overall amount of clients affected, it did claim that the affected people will be notified as soon as possible.
These were the most infamous cybersecurity breaches in Canada to know so far. We hope that the experience of these companies and enterprises has helped you to gain more knowledge about cyberattacks and define the most effective strategies for improving the security of your business. Team