Data breach in the Canadian government exposes phone numbers and email accounts

In a statement issued on September 9, 2025, the Treasury Board of Canada Secretariat announced that phone numbers and email addresses from user accounts at the Canada Revenue Agency (CRA), the Department of Employment and Social Development Canada (ESDC), and the Canada Border Services Agency (CBSA) had been affected by a data breach. In total, it is estimated that the incident affected more than 880,000 phone numbers and 85,000 emails.

On August 17, 2025, the Government of Canada was alerted to the data breach. It affected the interface of the multi-factor authentication (MFA) application of its external service provider, 2Keys Corporation. This authentication service is used to verify the credentials of user accounts associated with the aforementioned Canadian entities CRA, ESDC, and CBSA.

A routine software update caused a vulnerability that allowed a malicious actor to access phone numbers and email addresses of people who used the MFA service between August 3 and August 15, 2025. During this period, the actor sent spam messages to some of these compromised phone numbers. These messages contained a link to a fraudulent phishing website that mimicked the official Government of Canada website in order to steal user data. At this time, the perpetrator of this incident has not been identified.

The Canadian government announced that its provider, 2Keys Corporation, has already fixed the vulnerability and that the authentication service has been restored. The ongoing investigation indicates that, so far, there is no evidence that any sensitive personal information beyond the phone numbers and email accounts themselves has been exposed.