OTTAWA — The federal government says individuals’ email addresses and phone numbers associated with Canada Revenue Agency, Employment and Social Development Canada and Canada Border Services Agency accounts were accessed in a cyberattack.
The Treasury Board of Canada Secretariat says the government was alerted to the cyber incident on Aug. 17 by 2Keys Corporation, the provider of a multi-factor authentication application used for the accounts.
The government says 2Keys Corporation discovered the incident, promptly informed the government and launched an investigation, which is being conducted with external cybersecurity experts.
Treasury Board says a routine software update caused a “vulnerability” that allowed a malicious actor to access phone numbers associated with CRA and ESDC accounts, and email addresses associated with CBSA accounts, linked to people who used the authentication service between Aug. 3 and Aug. 15.
The government says the actor sent spam text messages to some of the phone numbers with a link to a website designed to look like a Government of Canada website.
Treasury Board says the multi-factor authentication service has been restored and there’s no indication that any additional identifiable personal information or sensitive personal data was disclosed.
This report by The Canadian Press was first published Sept. 9, 2025
Catherine Morrison, The Canadian Press