Canadian Federal Government agencies hit by cyberattack through third party service breach

The Canadian federal government is reporting a data security incident that compromised personal information from three government agencies: 

• the Canada Revenue Agency (CRA);
• Employment and Social Development Canada (ESDC),
• Canada Border Services Agency (CBSA). 

The breach occurred through a vulnerability in a third-party multi-factor authentication service provided by 2Keys Corporation, exposing users' contact information and triggering phishing attacks.

The government was alerted to the cyber incident on August 17, 2025, by 2Keys Corporation. The incident affected individuals who used the multi-factor authentication service between August 3 and August 15, 2025. A software update in this period created a security vulnerability that malicious actors exploited.

The compromised information included:

• Phone numbers linked to Canada Revenue Agency accounts
• Phone numbers linked to Employment and Social Development Canada accounts
• Email addresses associated with Canada Border Services Agency accounts

The number of affected individuals is not disclosed. The hackers sent text messages containing links to a fraudulent phishing website designed to look like a Government of Canada website to some of the compromised phone numbers.

2Keys Corporation patched the software vulnerability and the MFA service has been restored. The company claims that the breach was limited to phone numbers and email addresses. There is no indication that any additional personal identifiable information or sensitive personal data was exposed.

The government has classified this as a non-material privacy incident, indicating the scope was contained to basic contact information rather than more sensitive financial or personal data.