Notice of Non-Material Privacy Incident Involving Non-Sensitive Personal Information
On August 17, 2025, the Government of Canada was alerted to a cyber incident impacting the application interface of a third party service provider's multi-factor authentication (MFA) used for Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC) and Canada Border Services Agency (CBSA) user accounts. The provider, 2Keys Corporation, discovered the incident, promptly informed the government and launched an investigation.
A routine software update resulted in a vulnerability that allowed a malicious actor to access phone numbers associated with CRA and ESDC accounts and email addresses associated with CBSA accounts of individuals who used the MFA service between August 3 and 15. During this period, the actor sent spam text messages containing a link to a fraudulent phishing website designed to look like a Government of Canada website to some of these phone numbers. There was no impact to CBSA portal users who were accessing their account via email.
2Keys Corporation promptly addressed the software vulnerability and the MFA service has been restored. The 2Keys Corporation investigation, which is being conducted with the help of external cybersecurity experts, confirmed that the breach was limited to phone numbers and email addresses. At this time, there is no indication that any additional personal identifiable information or sensitive personal data was disclosed, and it has been determined that this is a non-material privacy incident.
Users of Government of Canada online services should be vigilant if they receive unexpected messages alleging to originate from the government. As a general reminder:
- Only use one-time passwords that you requested
- Never open attachments from unknown or untrusted sources
- Set up alerts for logins and transactions to monitor your accounts and detect unauthorized access early
- Regularly review recent logins, transactions, or changes in account settings to check for suspicious activity
- Change your password immediately if you suspect your account credentials have been compromised
- Use unique passphrase or complex passwords for every account as part of good cyber hygiene practices
- Report spam text messages by forwarding them to 7726
- Report fraud to your local police and to the Canadian Anti-Fraud Centre via their Online Reporting System or by calling 1-888-495-8501
Organizations across all sectors are facing growing and persistent cyber threats. That is why the Government of Canada has robust systems and tools in place to monitor, detect and investigate potential threats, and neutralize them as quickly as possible.
