Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada Company CyberSecurity Posture
priv.gc.ca
The Privacy Commissioner of Canada is an Officer of Parliament, mandated to protect and promote privacy rights. The Office of the Privacy Commissioner (OPC) hosts a page on LinkedIn to communicate with people about future career opportunities at the OPC, to offer privacy tips and guidance to small businesses to increase their awareness of, and therefore compliance with, PIPEDA, and to share important announcements. Privacy notice: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_LinkedIn Comment policy: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_Comment About the OPC: https://www.priv.gc.ca/en/about-the-opc/ ********* Le commissaire à la protection de la vie privée du Canada est un haut fonctionnaire du Parlement qui a pour mandat de protéger le droit des personnes à la vie privée et d'en faire la promotion. Le Commissariat à la protection de la vie privée du Canada a créé une page sur LinkedIn pour faire connaître les possibilités de carrière au sein de l’organisation, offrir des conseils et des orientations en matière de protection de la vie privée aux petites entreprises pour accroître leur sensibilisation au droit à la vie privée et les aider à se conformer à la LPRPDE, ainsi que partager des annonces importantes. Avis de confidentialité : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_LinkedIn Politiques relatives aux commentaires : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_Comment À propos du Commissariat : https://www.priv.gc.ca/fr/a-propos-du-commissariat/
Company Details
office-of-the-privacy-commissioner-of-canada
173
36,993
92
priv.gc.ca
0
OFF_8741243
In-progress
OPCCLPDLVPDC Risk Score (AI oriented)Between 650 and 699
OPCCLPDLVPDC Global Score (TPRM)XXXX
Description: Transport Canada experienced a cybersecurity incident involving a local breach in a cloud-based software provider used by the agency. While the breach was contained, it prompted a collaborative response with federal security partners, including law enforcement, to assess potential risks. The agency emphasized that no direct impacts were reported on airport operations, safety, or security, suggesting the breach did not compromise critical transportation systems or sensitive data. However, the incident raised concerns about operational efficiency and the need for proactive mitigation against future cyber threats. Transport Canada is actively working with air operators to strengthen defenses against similar incidents, whether cyber-related or otherwise, to ensure uninterrupted transportation safety and security. The breach appears to have been isolated, with no evidence of data theft, financial loss, or reputational damage beyond internal investigations and preventive measures.
Description: A data breach at Tiffany & Co. is under investigation by the Office of the Privacy Commissioner of Canada after the company reported the incident. The breach, which occurred in May but was only discovered in September, has impacted Canadian and U.S. customers, though the exact number of affected accounts remains unclear. The privacy commissioner is reviewing Tiffany & Co.’s response to ensure adequate measures are taken to protect the compromised personal information of Canadians. A formal breach report was submitted to the Maine attorney general, indicating potential exposure of customer data. The nature of the breach suggests unauthorized access to personal information, though specific details such as whether financial data, contact information, or other sensitive records were leaked have not been disclosed. The incident is still under regulatory scrutiny, with authorities assessing compliance and next steps to mitigate risks for affected individuals.
Description: Canada Border Services Agency suffered a data breach incident after a contractor led to the unauthorised access of up to 1.38 million licence plates and related information. The investigation found that the contract lacked clauses with respect to security safeguards, including for the protection and retention of personal information. Bad actors were able to break into the third-party contractors’ systems through an unpatched and decommissioned server, where they were able to access, copy, and remove files from the network, before posting some of the data on the dark web. The breach exposed around 9,000 licence plate photos of travellers crossing into Canada from the border crossing in Cornwall, Ontario.
Description: Canada Proposes Class-Action Settlement for 2020 Credential Stuffing Attacks on Government Accounts In August 2020, the Canadian government faced credential stuffing attacks targeting the GCKey service and Canada Revenue Agency (CRA) accounts, exposing the personal and financial data of Canadians. The breach prompted a class-action lawsuit filed by Todd Sweet, who alleged that inadequate security measures allowed unauthorized access to government portals, enabling fraudsters to exploit accounts including filing fraudulent claims for the Canada Emergency Response Benefit (CERB). A proposed settlement was reached in October 2025, with court approval pending for March 31, 2026. The government acknowledged persistent cyber threats but confirmed that affected individuals would be notified directly. ### Eligibility & Compensation Eligible class members include those whose Government of Canada Online Accounts (CRA, My Service Canada, or GCKey-linked accounts) were accessed without authorization between March 1 and December 31, 2020. However, only victims of the June 15–August 30, 2020 credential stuffing attacks where data was either accessed or used fraudulently may qualify for payments. Compensation varies by impact: - Access claims: Up to $80 ($20/hour for 4 hours) for time spent addressing the breach. - Fraud claims: Up to $200 ($20/hour for 10 hours) if personal data was used for fraud (e.g., CERB fraud). - Special compensation fund: Up to $5,000 for out-of-pocket expenses (e.g., fraud losses, identity theft fees). Eligible individuals will receive instructions post-approval, with no immediate action required. The final payout amounts may be adjusted based on the number of claims.
Description: The governments of Canada was exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system by misconfiguring pages on Trello, a project management website. 25 Canadian government trello boards had sensitive information, such as remote file access, or FTP, credentials, and login details for the Eventbrite event-planning platform. The government of Canada said, Departments and agencies of the Government of Canada must apply adequate security controls to protect their users, information, and assets. Employees are being reminded of their obligation never to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.
Description: Canada Revenue Agency logs 2,338 privacy breaches in just under 2 years. The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months. But only a handful affected a large number of Canadians.
Description: Several Canadian government websites and servers were targeted in a cyberattack by the hacking group Anonymous. The attack affected several websites for government services, including canada.ca, as well as the site of Canada’s spy agency, the Canadian Security Intelligence Service (CSIS). The attack was aimed to show their retaliation for a new anti-terrorism law passed by Canada’s politicians.
No incidents recorded for Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada in 2026.
No incidents recorded for Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada in 2026.
No incidents recorded for Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada in 2026.
OPCCLPDLVPDC cyber incidents detection timeline including parent company and subsidiaries
The Privacy Commissioner of Canada is an Officer of Parliament, mandated to protect and promote privacy rights. The Office of the Privacy Commissioner (OPC) hosts a page on LinkedIn to communicate with people about future career opportunities at the OPC, to offer privacy tips and guidance to small businesses to increase their awareness of, and therefore compliance with, PIPEDA, and to share important announcements. Privacy notice: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_LinkedIn Comment policy: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_Comment About the OPC: https://www.priv.gc.ca/en/about-the-opc/ ********* Le commissaire à la protection de la vie privée du Canada est un haut fonctionnaire du Parlement qui a pour mandat de protéger le droit des personnes à la vie privée et d'en faire la promotion. Le Commissariat à la protection de la vie privée du Canada a créé une page sur LinkedIn pour faire connaître les possibilités de carrière au sein de l’organisation, offrir des conseils et des orientations en matière de protection de la vie privée aux petites entreprises pour accroître leur sensibilisation au droit à la vie privée et les aider à se conformer à la LPRPDE, ainsi que partager des annonces importantes. Avis de confidentialité : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_LinkedIn Politiques relatives aux commentaires : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_Comment À propos du Commissariat : https://www.priv.gc.ca/fr/a-propos-du-commissariat/
State government is more than senators, representatives, and elected officials. We build highways, provide drivers licenses, protect our children and vulnerable populations, create jobs, connect Hoosiers to job opportunities, maintain state parks, train law enforcement officers, and we run museums
MISIÓN/PROPÓSITO: La SEP tiene como propósito esencial crear condiciones que permitan asegurar el acceso de todas las mexicanas y mexicanos a una educación de calidad, en el nivel y modalidad que la requieran y en el lugar donde la demanden. VISIÓN: En el año 2025, México cuenta con un sistema
Overview The Texas Health and Human Services Commission (HHSC) is an agency within the Texas Health and Human Services System. In September 2016, Texas began transforming how it delivers health and human services to qualified Texans, with a goal of making the Health and Human Services System more ef
INSTITUTO DE SEGURIDAD Y SERVICIOS SOCIALES DE LOS TRABAJADORES DEL ESTADO. ES UN ORGANISMOS PÚBLICO QUE OTORGA SERVICIOS DE SALUD, PENSIONES, VIVIENDA, PRÉSTAMOS, ESTANCIAS INFANTILES, TURISMO, CULTURA, RECREACION, DEPORTE; CUYOS AFILIADOS SON TRABAJADORES DE DEPENDENCIAS GUBERNAMENTALES, CON DERE
Year after year, the Commonwealth of Massachusetts has continued to pioneer bold legislative actions and programs, some of which have been embraced on a national scale. We are always looking for talented individuals to help us maintain this momentum and improve the services that millions of people d
The Treasury Department is the executive agency responsible for promoting economic prosperity and ensuring the financial security of the United States. The Department is responsible for a wide range of activities such as advising the President on economic and financial issues, encouraging sustainabl
The Commission represents and upholds the interests of the EU as a whole, and is independent of national governments. The European Commission prepares legislation for adoption by the Council (representing the member countries) and the Parliament (representing the citizens). It administers the budge
Official LinkedIn page for the state of Oregon. Oregon is a state in the Pacific Northwest region of the United States. It is located on the Pacific coast, with Washington to the north, California to the south, Nevada on the southeast and Idaho to the east. The Columbia and Snake rivers delineate mu
The government of Illinois, under the Constitution of Illinois, has three branches of government: executive, legislative and judicial. The executive branch is split into several statewide elected offices, with the Governor as chief executive, and has numerous departments, agencies, boards and commis
.png)
Find information and resources about the OPC's participation in Data Privacy Week.
In August 2025, the Office of the Privacy Commissioner of Canada (OPC) issued new guidance for private-sector organizations deploying...
2024-2025 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act...
The Privacy Commissioner of Canada is investigating a cyberattack that compromised data on current and former members of the country's armed forces.
2022-2023 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act...
2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is http://www.priv.gc.ca/.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada’s AI-generated cybersecurity score is 697, reflecting their Weak security posture.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not certified under SOC 2 Type 1.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada does not hold a SOC 2 Type 2 certification.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not listed as GDPR compliant.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada does not currently maintain PCI DSS compliance.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not compliant with HIPAA regulations.
According to Rankiteo,Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada operates primarily in the Government Administration industry.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada employs approximately 173 people worldwide.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada presently has no subsidiaries across any sectors.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada’s official LinkedIn profile has approximately 36,993 followers.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is classified under the NAICS code 92, which corresponds to Public Administration.
No, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada does not have a profile on Crunchbase.
Yes, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/office-of-the-privacy-commissioner-of-canada.
As of January 21, 2026, Rankiteo reports that Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada has experienced 7 cybersecurity incidents.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada has an estimated 11,873 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Breach and Cyber Attack.
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with employees reminded of their obligation not to communicate or store sensitive information on trello boards or any other unauthorized digital tool or service., and and remediation measures with under review by the office of the privacy commissioner of canada, and and third party assistance with federal security partners, and and remediation measures with collaboration with air operators to mitigate consequences, and communication strategy with direct notifications to impacted individuals and public statements..
Title: Cyberattack on Canadian Government Websites
Description: Several Canadian government websites and servers were targeted in a cyberattack by the hacking group Anonymous. The attack affected several websites for government services, including canada.ca, as well as the site of Canada’s spy agency, the Canadian Security Intelligence Service (CSIS). The attack was aimed to show their retaliation for a new anti-terrorism law passed by Canada’s politicians.
Type: Cyberattack
Threat Actor: Anonymous
Motivation: Retaliation for a new anti-terrorism law
Title: Canada Revenue Agency Privacy Breaches
Description: The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months.
Type: Data Breach
Title: Canadian Government Data Exposure via Trello
Description: The government of Canada exposed sensitive information including software bugs, security plans, server passwords, official internet domains, conference calls, and event-planning system details due to misconfigured Trello boards.
Type: Data Exposure
Attack Vector: Misconfiguration
Vulnerability Exploited: Misconfigured third-party service
Title: Canada Border Services Agency Data Breach
Description: Canada Border Services Agency suffered a data breach incident after a contractor led to the unauthorised access of up to 1.38 million licence plates and related information.
Type: Data Breach
Attack Vector: Unpatched and decommissioned server
Vulnerability Exploited: Lack of security safeguards in the contract
Threat Actor: Unspecified bad actors
Title: Data Breach at Tiffany & Co.
Description: A data breach at Tiffany & Co. is under review by the Office of the Privacy Commissioner of Canada (OPC). The OPC is ensuring the jewelry company is taking adequate steps to address the breach and protect the personal information of Canadians. The breach was reported to the OPC, and a letter filed with the Maine attorney general indicates it occurred in May 2025 and was discovered in September 2025. The breach also appears to have affected the United States, though the number of impacted Canadian accounts remains unclear.
Date Detected: 2025-09
Date Publicly Disclosed: 2025-09-17
Type: Data Breach
Title: None
Description: A cyber incident involving a breach at a cloud-based software provider impacted Transport Canada. The agency is working with federal security partners, including law enforcement, to ensure no impacts on airport operations' safety and security. Mitigation efforts are underway to prevent future disruptions.
Type: Cyber Breach (Third-Party Cloud Provider)
Title: Canada Revenue Agency (CRA) and Government of Canada Credential Stuffing Attack
Description: In August 2020, the Canadian government responded to 'credential stuffing' attacks mounted on the GCKey service and CRA accounts. The attack led to unauthorized access to Canadians' personal and financial information, with some accounts used to fraudulently apply for the Canada Emergency Response Benefit (CERB). A class-action lawsuit was initiated by Todd Sweet, alleging negligence in safeguarding confidential information. A proposed settlement was reached in October 2025.
Date Detected: 2020-08-01
Date Publicly Disclosed: 2020-08-01
Date Resolved: 2025-10-01
Type: Credential Stuffing
Attack Vector: Compromised credentials
Vulnerability Exploited: Inadequate safeguards in government online portals
Motivation: Financial gain (fraudulent CERB applications)
Common Attack Types: The most common types of attacks the company has faced is Breach.
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Unpatched and decommissioned server and GCKey service and CRA accounts.
Systems Affected: canada.caCSIS website
Data Compromised: Personal, Confidential
Data Compromised: Software bugs, Security plans, Server passwords, Official internet domains, Conference calls, Event-planning system details
Systems Affected: Trello boards
Data Compromised: Licence plates, Related information
Brand Reputation Impact: Potential (under review)
Legal Liabilities: Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general
Identity Theft Risk: Potential (personal information of Canadians affected)
Systems Affected: Cloud-based software provider (third-party)
Operational Impact: Potential disruption to transportation safety, security, and operational efficiency (mitigated)
Data Compromised: Personal and financial information
Systems Affected: CRA accountsMy Service Canada accountsGCKey service
Operational Impact: Unauthorized access to government benefits systems
Brand Reputation Impact: Significant (allegations of negligence)
Legal Liabilities: Class-action lawsuit and proposed settlement
Identity Theft Risk: High (fraudulent benefit applications)
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal, Confidential, , Software Bugs, Security Plans, Server Passwords, Official Internet Domains, Conference Calls, Event-Planning System Details, , Licence Plates, Related Information, , Personal information (details unspecified), Personal Information, Financial Information and .
Entity Name: Canadian Government
Entity Type: Government
Industry: Public Sector
Location: Canada
Entity Name: Canada Revenue Agency
Entity Type: Government
Industry: Public Sector
Location: Canada
Customers Affected: 80000
Entity Name: Government of Canada
Entity Type: Government
Industry: Public Sector
Location: Canada
Entity Name: Canada Border Services Agency
Entity Type: Government Agency
Industry: Government
Location: Canada
Entity Name: Tiffany & Co.
Entity Type: Corporation
Industry: Luxury Jewelry/Retail
Location: CanadaUnited States
Entity Name: Transport Canada
Entity Type: Government Agency
Industry: Transportation / Aviation
Location: Canada
Entity Type: Cloud-Based Software Provider
Industry: Technology / Cloud Services
Entity Name: Canada Revenue Agency (CRA)
Entity Type: Government agency
Industry: Taxation and revenue services
Location: Canada
Size: Large (national government agency)
Customers Affected: Canadians with Government of Canada Online Accounts
Entity Name: Government of Canada
Entity Type: Government
Industry: Public administration
Location: Canada
Size: Large (national government)
Customers Affected: Canadians with GCKey or related accounts
Remediation Measures: Employees reminded of their obligation not to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.
Incident Response Plan Activated: True
Remediation Measures: Under review by the Office of the Privacy Commissioner of Canada
Incident Response Plan Activated: True
Third Party Assistance: Federal Security Partners.
Remediation Measures: Collaboration with air operators to mitigate consequences
Communication Strategy: Direct notifications to impacted individuals and public statements
Third-Party Assistance: The company involves third-party assistance in incident response through Federal security partners, .
Type of Data Compromised: Personal, Confidential
Number of Records Exposed: 80000
Sensitivity of Data: High
Type of Data Compromised: Software bugs, Security plans, Server passwords, Official internet domains, Conference calls, Event-planning system details
Sensitivity of Data: High
Type of Data Compromised: Licence plates, Related information
Number of Records Exposed: 1.38 million
Data Exfiltration: Yes
Personally Identifiable Information: Licence plate photos
Type of Data Compromised: Personal information (details unspecified)
Sensitivity of Data: High (personal information)
Type of Data Compromised: Personal information, Financial information
Sensitivity of Data: High (personally identifiable and financial information)
Personally Identifiable Information: Yes
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Employees reminded of their obligation not to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service., , Under review by the Office of the Privacy Commissioner of Canada, Collaboration with air operators to mitigate consequences.
Legal Actions: Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general
Regulatory Notifications: Office of the Privacy Commissioner of CanadaMaine attorney general
Regulations Violated: Privacy laws (alleged negligence),
Legal Actions: Class-action lawsuit (T-982-20)
Regulatory Notifications: Direct notifications to impacted individuals
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general, Class-action lawsuit (T-982-20).
Lessons Learned: Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information.
Lessons Learned: Ensure contracts include security safeguards for the protection and retention of personal information.
Lessons Learned: Need for stronger safeguards in government online portals to prevent credential stuffing attacks and unauthorized access to sensitive information.
Recommendations: Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage.
Recommendations: Implement multi-factor authentication (MFA) for government online accounts, Enhance monitoring and detection of credential stuffing attacks, Improve incident response and communication strategies, Provide credit monitoring services for affected individualsImplement multi-factor authentication (MFA) for government online accounts, Enhance monitoring and detection of credential stuffing attacks, Improve incident response and communication strategies, Provide credit monitoring services for affected individualsImplement multi-factor authentication (MFA) for government online accounts, Enhance monitoring and detection of credential stuffing attacks, Improve incident response and communication strategies, Provide credit monitoring services for affected individualsImplement multi-factor authentication (MFA) for government online accounts, Enhance monitoring and detection of credential stuffing attacks, Improve incident response and communication strategies, Provide credit monitoring services for affected individuals
Key Lessons Learned: The key lessons learned from past incidents are Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information.Ensure contracts include security safeguards for the protection and retention of personal information.Need for stronger safeguards in government online portals to prevent credential stuffing attacks and unauthorized access to sensitive information.
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage..
Source: Public Disclosure
Source: Office of the Privacy Commissioner of Canada (OPC) Breach Report
Source: Maine Attorney General Breach Letter
Source: Treasury Board of Canada Secretariat
Source: Federal Government Notice
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Public Disclosure, and Source: The Canadian PressDate Accessed: 2025-09-17, and Source: Winnipeg Free PressDate Accessed: 2025-09-17, and Source: Office of the Privacy Commissioner of Canada (OPC) Breach Report, and Source: Maine Attorney General Breach Letter, and Source: Treasury Board of Canada Secretariat, and Source: Federal Government Notice.
Investigation Status: Under review by the Office of the Privacy Commissioner of Canada
Investigation Status: Ongoing (collaboration with federal security partners and law enforcement)
Investigation Status: Settlement proposed (pending court approval)
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Direct notifications to impacted individuals and public statements.
Stakeholder Advisories: Transport Canada is working with air operators to mitigate potential consequences.
Stakeholder Advisories: Government departments sent direct notifications to impacted individuals.
Customer Advisories: Public statements and direct notifications to class members regarding the proposed settlement.
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Transport Canada is working with air operators to mitigate potential consequences., Government departments sent direct notifications to impacted individuals. and Public statements and direct notifications to class members regarding the proposed settlement..
Entry Point: Unpatched and decommissioned server
Entry Point: GCKey service and CRA accounts
Root Causes: Misconfiguration of Trello boards leading to exposure of sensitive information.
Corrective Actions: Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools.
Root Causes: Lack of security safeguards in the contract; Unpatched and decommissioned server
Corrective Actions: Mitigation efforts to prevent similar incidents in the future
Root Causes: Inadequate safeguards in government online portals allowing credential stuffing attacks
Corrective Actions: Proposed settlement includes compensation for affected individuals and potential improvements to security measures.
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Federal Security Partners, .
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools., Mitigation efforts to prevent similar incidents in the future, Proposed settlement includes compensation for affected individuals and potential improvements to security measures..
Last Attacking Group: The attacking group in the last incident were an Anonymous and Unspecified bad actors.
Most Recent Incident Detected: The most recent incident detected was on 2025-09.
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2020-08-01.
Most Recent Incident Resolved: The most recent incident resolved was on 2025-10-01.
Most Significant Data Compromised: The most significant data compromised in an incident were Personal, Confidential, , software bugs, security plans, server passwords, official internet domains, conference calls, event-planning system details, , Licence plates, Related information, , and Personal and financial information.
Most Significant System Affected: The most significant system affected in an incident was canada.caCSIS website and Trello boards and Cloud-based software provider (third-party) and CRA accountsMy Service Canada accountsGCKey service.
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was federal security partners, .
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were server passwords, Related information, conference calls, security plans, Licence plates, Personal and financial information, event-planning system details, Personal, official internet domains, Confidential and software bugs.
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.4M.
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general, Class-action lawsuit (T-982-20).
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information., Ensure contracts include security safeguards for the protection and retention of personal information., Need for stronger safeguards in government online portals to prevent credential stuffing attacks and unauthorized access to sensitive information.
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage., Provide credit monitoring services for affected individuals, Enhance monitoring and detection of credential stuffing attacks, Implement multi-factor authentication (MFA) for government online accounts and Improve incident response and communication strategies.
Most Recent Source: The most recent source of information about an incident are Winnipeg Free Press, Treasury Board of Canada Secretariat, Office of the Privacy Commissioner of Canada (OPC) Breach Report, Public Disclosure, The Canadian Press, Federal Government Notice and Maine Attorney General Breach Letter.
Current Status of Most Recent Investigation: The current status of the most recent investigation is Under review by the Office of the Privacy Commissioner of Canada.
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Transport Canada is working with air operators to mitigate potential consequences., Government departments sent direct notifications to impacted individuals., .
Most Recent Customer Advisory: The most recent customer advisory issued was an Public statements and direct notifications to class members regarding the proposed settlement.
Most Recent Entry Point: The most recent entry point used by an initial access broker were an GCKey service and CRA accounts and Unpatched and decommissioned server.
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Misconfiguration of Trello boards leading to exposure of sensitive information., Lack of security safeguards in the contract; Unpatched and decommissioned server, Inadequate safeguards in government online portals allowing credential stuffing attacks.
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools., Mitigation efforts to prevent similar incidents in the future, Proposed settlement includes compensation for affected individuals and potential improvements to security measures..
.png)
SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rapid