Skip to content

Incidents in country:

Canada

25 incidents catalogued

Supply chainContained

Klue supply-chain breach exposes customers' Salesforce data

A dormant API credential let attackers compromise competitive-intelligence platform Klue and harvest OAuth tokens for customers' connected apps, exfiltrating Salesforce records from firms including Huntress and Recorded Future in a supply-chain attack later tied to the Icarus extortion group.

Victim
Klue (and customers including Huntress and Recorded Future)
EspionageContained

UNC6508 PRC-nexus medical & defense research espionage campaign

Google's Threat Intelligence Group disclosed that PRC-nexus actor UNC6508 spent more than a year inside U.S. and Canadian medical, academic and military-health research environments, compromising legacy REDCap servers, deploying custom INFINITERED malware and abusing Google Workspace email compliance rules to silently exfiltrate research and defense data.

Victim
U.S. and Canadian medical, academic and military-health research institutions
Data breachResolved

Fair Vote Canada data breach (2024)

In March 2024, the Canadian national citizens' campaign for proportional representation Fair Vote Canada suffered a data breach. The incident was attributed to "a well-meaning volunteer" who inadvertently exposed data from 2020 which included 134k unique email addresses, names, physical addresses,…

Victim
Fair Vote Canada
Records
134.3K
RansomwareContained

Indigo Books LockBit ransomware

LockBit affiliates encrypted Canada's largest bookseller, taking the website and in-store payment systems offline for weeks. Indigo publicly refused the ransom; LockBit published employee personal data.

Victim
Indigo Books & Music Inc.
Loss
$40.0M
Records
5.0K
RansomwareResolved

SickKids hospital ransomware attack

Toronto's Hospital for Sick Children was hit by a ransomware attack over the December 2022 holidays that delayed lab and imaging results; in a rare move, the LockBit gang apologized, blamed a rogue affiliate, and released a free decryptor.

Victim
The Hospital for Sick Children (SickKids)
Data breachResolved

Shopper+ data breach (2020)

In March 2023, "Canada's online shopping mall" Shopper+ disclosed a data breach discovered on a public hacking forum. The breach dated back to September 2020 and included 878k customer records with email and physical addresses, names, phone numbers and in some cases, genders and dates of birth.

Victim
Shopper+
Records
878.3K
Data breachResolved

Wattpad data breach (2020)

In mid-2020, the user-generated stories platform Wattpad suffered a breach exposing roughly 268.8 million records, including names, email addresses, dates of birth, and bcrypt-hashed passwords. The database was first sold privately, then leaked for free on a hacking forum.

Victim
Wattpad
Records
268.8M
RansomwareRansom paid

LifeLabs data breach

Canada's largest medical-testing laboratory disclosed that attackers had accessed health data on roughly 15 million customers, paid an undisclosed ransom to retrieve the stolen records, and was later found by privacy regulators to have failed to safeguard the information.

Victim
LifeLabs
Records
15.0M
Data breachResolved

Bell (2017 breach) data breach (2017)

In May 2017, the Bell telecommunications company in Canada suffered a data breach resulting in the exposure of millions of customer records. The data was consequently leaked online with a message from the attacker stating that they were "releasing a significant portion of Bell.ca's data due to the…

Victim
Bell (2017 breach)
Records
2.2M
Data breachResolved

Ashley Madison (Avid Life Media) breach

A group calling itself the Impact Team breached infidelity dating site Ashley Madison, then dumped the account data of roughly 32 million users β€” names, emails, sexual preferences and payment records β€” after parent company Avid Life Media refused to shut the site down.

Victim
Avid Life Media (Ashley Madison)
Loss
$1.6M
Records
32.0M
MalwareResolved

Home Depot POS breach

Attackers used a vendor's stolen credentials and custom point-of-sale malware to harvest about 56 million payment cards and 53 million email addresses from Home Depot's U.S. and Canadian self-checkout systems over five months β€” the largest retail card breach of its time.

Victim
The Home Depot
Loss
$179.0M
Records
56.0M
Data breachResolved

Bell (2014 breach) data breach (2014)

In February 2014, Bell Canada suffered a data breach via the hacker collective known as NullCrew. The breach included data from multiple locations within Bell and exposed email addresses, usernames, user preferences and a number of unencrypted passwords and credit card data from 40,000 records…

Victim
Bell (2014 breach)
Records
20.9K