On August 17, 2025, the Government of Canada disclosed a cybersecurity incident involving 2Keys Corporation, a third-party provider of multi-factor authentication (MFA) services used by CRA, ESDC, and CBSA. A routine software update introduced a vulnerability that exposed phone numbers and email addresses of users who accessed these services between August 3 and 15.
Some individuals received phishing texts linking to a fake government website. While no sensitive personal data or account credentials were compromised, the issue was quickly resolved with support from cybersecurity experts.
This incident, though classified as a non-material privacy breach, highlights a critical lesson for Canadian organizations: even trusted systems can be vulnerable. Businesses must assess the security of third-party vendors, implement layered protection beyond MFA, and educate employees on recognizing phishing attempts.
Cyber threats are growing in complexity, and no sector is immune. The Government of Canada has robust systems to detect and neutralize threats, but this event underscores the importance of proactive cybersecurity for all organizations.
Original article courtesy of Canada.ca.
Enhance Your Business Security with Expert Cybersecurity Solutions. Click here to learn more and download shawcsIT’s free services overview catalogue.