---
url: 'https://www.corbado.com/blog/data-breaches-canada'
title: '11 Biggest Data Breaches in Canada [2026]'
description: 'Learn about the biggest data breaches in Canada, why Canada is an attractive target for cyber attacks and how these could have been prevented'
lang: 'en'
author: 'Alex'
date: '2025-04-14T12:53:52.558Z'
lastModified: '2026-04-15T06:00:50.943Z'
keywords: 'data breach Canada, largest data breach Canada 2025, cyber attack Canada, user data leak Canada, national data breach Canada, data hack Canada, biggest data breach Canada 2025, hacked Canadian companies'
category: 'Authentication'
---
# 11 Biggest Data Breaches in Canada [2026]
## Key Facts
- **LifeLabs' 2019 ransomware attack** compromised 15 million individuals, making it the
largest reported data breach in Canadian history by volume.
- The 2024 average cost of a **Canadian data breach** was 4.66 million USD, slightly below
the global average of 4.88 million USD.
- The **Desjardins insider threat** lasted over 26 months undetected, exposing 9.7 million
individuals' financial and personal data before the federal Privacy Commissioner
intervened.
- **Credential stuffing** enabled the 2020 CRA attack: password reuse across unrelated
breaches allowed hackers to compromise 11,000+ taxpayer accounts with no MFA blocking
access.
- Nova Scotia Power's 2025 **ransomware attack** exposed Social Insurance Numbers for
approximately 140,000 of its 280,000 affected customers, with stolen data published
online before detection.
## 1. Introduction: Why are Data Breaches a Risk for Canadian Organizations?
Data breaches are on the rise in Canada, impacting multiple sectors and leading to growing
concern among both citizens and organizations: Canadians are increasingly worried about
data security, with 85% expressing concern and 66% reporting heightened anxiety compared
to three years ago. This concern is amplified by high-profile breaches and emerging
threats, such as state-sponsored cyber attacks and [ransomware](https://www.corbado.com/glossary/ransomware).
In 2024, the average cost of a [data breach](https://www.corbado.com/glossary/data-breach) in Canada was $4.66
million USD which is slightly below the global average of $4.88 million USD. In this blog,
we will take a closer look on the biggest data breaches in Canada and analyze how and why
they happened.
## 2. Why is Canada an Attractive Target for Data Breaches?
Canada is an appealing target for data breaches, driven by a combination of factors that
increase the [vulnerability](https://www.corbado.com/glossary/vulnerability) of its critical sectors,
organizations and individuals to cybercriminal activity:
1. **High-value data across industries:** Canada’s [healthcare](https://www.corbado.com/passkeys-for-healthcare),
[financial services](https://www.corbado.com/passkeys-for-banking), [retail](https://www.corbado.com/passkeys-for-e-commerce), and
[energy](https://www.corbado.com/passkeys-for-energy) sectors manage large volumes of sensitive information,
such as personal health records, financial transactions and
[payment](https://www.corbado.com/passkeys-for-payment) data. Just as organizations must strategically protect
critical assets, ensuring leadership strength through a
targeted [CEO staffing](https://www.alphaapexgroup.com/executive-services/ceo-executive-search) can
reinforce governance and crisis readiness. This type of information is extremely
valuable on the black market, positioning these industries as top targets for
cybercriminals. The data is so valubale because it can be used for identity theft,
[insurance](https://www.corbado.com/passkeys-for-insurance) fraud or to access and drain bank accounts.
2. **Geopolitical significance:** Canada’s role in global alliances like the G7 and the
Five Eyes intelligence partnership places it in the crosshairs of state-sponsored cyber
activities. Different countries engage in advanced cyber espionage targeting Canadian
[government](https://www.corbado.com/passkeys-for-public-sector) systems, aiming to collect intelligence and
exfiltrate intellectual property. In addition, Canada is exposed to cyber threats from
hostile states driven by its political affiliations.
## 3. The biggest Data Breaches in Canada
In the following, you find a list of the largest data breaches in Canada. The data
breaches are sorted by the number of impacted customer accounts in descending order.
### 3.1 LifeLabs Data Breach (2019)
| Details | Information |
| ------------------------ | ---------------------------------------------------------------------------------------------------------------------- |
| Date | October 2019 (disclosed December 2019) |
| Impacted Customer Number | Approximately 15 million individuals |
| Breached Data | - Names
- Addresses
- Email addresses
- Health card numbers
- Lab test results
- Login credentials |
In October 2019, LifeLabs fell victim to a significant [ransomware](https://www.corbado.com/glossary/ransomware)
attack that compromised the personal health data of nearly 15 million individuals, making
it the largest reported breach in Canadian history by volume. The attackers gained
unauthorized access to LifeLabs’ systems and exfiltrated sensitive information before
demanding a ransom. The company confirmed it paid the ransom in an effort to secure the
stolen data, though it could not verify whether the attackers had made copies. The breach
sparked public concern not only due to the sensitivity of the data involved, but also
because LifeLabs delayed notifying the public until December.
Investigations suggested that the breach may have resulted from outdated software, lack of
[end-to-end encryption](https://www.corbado.com/faq/end-to-end-encryption-passkey-sync), and poor monitoring of
system [vulnerabilities](https://www.corbado.com/glossary/vulnerability). The incident exposed significant
weaknesses in LifeLabs’ cybersecurity posture, especially considering the critical nature
of health data.
**Prevention methods:**
- Implement strong encryption and modernize outdated systems
- Use advanced intrusion detection and real-time monitoring tools
- Maintain secure, offline backups to avoid paying ransom
### 3.2 Desjardins Data Breach (2019)
| Details | Information |
| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------- |
| Date | June 2019 (publicly disclosed) |
| Impacted Customer Number | Approximately 9.7 million individuals |
| Breached Data | - Full names
- Addresses
- Birthdates
- Social insurance numbers
- Email addresses
- Transaction history |
Desjardins Group, one of Canada’s largest financial cooperatives, suffered a massive
insider caused [data breach](https://www.corbado.com/glossary/data-breach) that exposed the personal and
financial details of nearly 9.7 million individuals. The breach was discovered after an
internal investigation revealed that a now-former employee had been collecting and leaking
data over a period of at least 26 months. The information was being transferred outside
the organization and was not detected by Desjardins’ monitoring systems until the federal
Privacy Commissioner got involved.
The nature of this breach, rooted in abuse of legitimate internal access, highlighted
systemic weaknesses in Desjardins’ internal controls, particularly around user activity
monitoring, access rights, and data exfiltration alerts. It remains one of the most
significant examples of an insider threat in Canadian corporate history, especially due to
the duration of the breach and the sensitivity of the data compromised.
**Prevention methods:**
- Enforce strict access controls and least privilege policies
- Monitor and audit employee data access regularly
- Use behavioral analytics to detect unusual activity
### 3.3 Yves Rocher Data Breach (2019)
| Details | Information |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
| Date | September 2019 |
| Impacted Customer Number | Approximately 2.5 million individuals |
| Breached Data | - Full names
- Dates of birth
- Phone numbers
- Email addresses
- Postal codes
- Internal store data and product formulas |
In 2019, French cosmetics brand Yves Rocher experienced a significant
[data breach](https://www.corbado.com/glossary/data-breach) involving its Canadian customer base when researchers
discovered an unprotected Elasticsearch database hosted by a third-party service provider.
The exposed system contained records on approximately 2.5 million individuals, including
both personal details and internal corporate data. Even more alarming was that the
database’s configuration allowed read/write access, meaning unauthorized parties could
have added, altered, or deleted information at will.
The breach was traced back to improper access permissions and a lack of authentication on
a cloud-hosted platform used for managing customer and operational data. It demonstrated
how supply chain and third-party vendor security mistakes can directly compromise even
well-established brands. The exposed data included not just customer PII but also
confidential business insights, such as store performance metrics and product composition
data.
**Prevention methods:**
- Enforce strict security protocols for third-party vendors
- Secure cloud services with proper authentication and access controls
- Regularly audit exposed databases for misconfigurations
### 3.4 Nissan Canada Finance Data Breach (2017)
| Details | Information |
| ------------------------ | ----------------------------------------------------------------------------------------------------------- |
| Date | December 2017 |
| Impacted Customer Number | Over 1 million individuals |
| Breached Data | - Full names
- Addresses
- Vehicle details (model, VIN, manufacture date)
- Banking information |
In December 2017, Nissan Canada Finance (NCF) reported a data breach that exposed the
personal information of more than one million current and former customers who had leased
or financed vehicles through the company. The breach involved unauthorized access to
systems containing sensitive customer data, including financial and vehicle-specific
information. The company acknowledged the breach after detecting unusual activity and
launched a full-scale investigation with law enforcement and privacy authorities.
Though NCF did not publicly disclose the technical specifics of the attack, the type of
data accessed suggests that the breach likely resulted from a compromise of backend
systems, possibly via credential theft, poor network segmentation, or insufficient
encryption protocols. To mitigate harm, NCF offered affected customers 12 months of free
credit monitoring and identity theft protection.
**Prevention methods:**
- Strengthen backend system authentication (e.g. with
[phishing](https://www.corbado.com/glossary/phishing)-resistant MFA) and segmentation
- Encrypt all customer data, especially financial information
- Monitor systems continuously for unauthorized access attempts
### 3.5 TIO Networks Data Breach (2017)
| Details | Information |
| ------------------------ | --------------------------------------------------------------------------------------------------------- |
| Date | November–December 2017 |
| Impacted Customer Number | Approximately 1.6 million individuals |
| Breached Data | - Names
- Addresses
- Billing account information
- Payment card data
- Login credentials |
TIO Networks, a Canadian bill [payment](https://www.corbado.com/passkeys-for-payment) processor owned by
[PayPal](https://www.corbado.com/blog/paypal-passkeys), suffered a data breach in late 2017 after its systems
were found to have [vulnerabilities](https://www.corbado.com/glossary/vulnerability) that allowed unauthorized
access to customer records. After detecting unusual activity,
[PayPal](https://www.corbado.com/blog/paypal-passkeys) suspended TIO’s operations and launched a formal
investigation, revealing that hackers had infiltrated multiple areas of the network where
sensitive data was stored. The compromised information included personally identifiable
information and financial account details of approximately 1.6 million users.
The breach pointed to structural weaknesses within TIO’s infrastructure, including
outdated security protocols and inadequate network segmentation. Because TIO’s systems
were distinct from [PayPal](https://www.corbado.com/blog/paypal-passkeys)’s core architecture, the breach did not
affect PayPal users directly, but it raised significant concerns about acquisition-related
cybersecurity due diligence.
**Prevention methods:**
- Conduct comprehensive security audits during mergers and acquisitions
- Isolate and harden legacy systems from core networks
- Implement multi-layered access control and encryption for financial data
### 3.6 Bell Canada Data Breach (2017 & 2018)
| Details | Information |
| ------------------------ | -------------------------------------------------------------------------------------------------- |
| Date | May 2017 and January 2018 |
| Impacted Customer Number | Approximately 2 million combined |
| Breached Data | - Email addresses
- Names and phone numbers (limited subset)
- Account-related information |
Bell Canada experienced two separate data breaches within an eight-month span, beginning
in May 2017 when attackers accessed and leaked roughly 1.9 million email addresses and
1,700 customer names with phone numbers. A second breach in January 2018 compromised
additional customer data, affecting up to 100,000 individuals. In both incidents, Bell
claimed that no financial or password data had been accessed, though the details suggested
a failure to prevent unauthorized entry to internal systems.
The attackers in at least one of the breaches publicly leaked the data and claimed the
motive was to pressure Bell into cooperating with them, implying some form of extortion
attempt. Bell was criticized for its delayed disclosure in both cases, as the initial
breach was not immediately reported to customers. These events highlighted serious issues
in Bell’s data governance, breach detection capabilities, and customer communication
practices.
**Prevention methods:**
- Apply real-time monitoring and incident response protocols
- Limit external access points and tighten perimeter defenses
- Implement customer breach notification procedures with clear timelines
### 3.7 Canada Revenue Agency Data Breach (2020)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------------------------------- |
| Date | August 2020 |
| Impacted Customer Number | Over 11,000 confirmed accounts (potentially more) |
| Breached Data | - SINs
- Taxpayer records
- Direct deposit information
- Login credentials (via reused passwords) |
In August 2020, the Canada Revenue Agency (CRA) fell victim to two separate cyberattacks
that together led to the compromise of more than 11,000 individual online accounts. The
attacks took advantage of a [credential stuffing](https://www.corbado.com/glossary/credential-stuffing)
technique, where hackers used previously stolen usernames and passwords from unrelated
breaches to gain access to CRA accounts. Once inside, attackers were able to view
sensitive taxpayer information, change direct deposit details, and, in some cases, apply
for pandemic-related [government](https://www.corbado.com/passkeys-for-public-sector) benefits.
The breach exposed significant flaws in both user-side practices (such as password reuse)
and system-level security controls at the CRA. The absence of widespread multi-factor
authentication and real-time detection of suspicious activity allowed the attackers to
[exploit](https://www.corbado.com/glossary/exploit) a common vector on a large scale, despite it being a
well-known method of attack.
**Prevention methods:**
- Enforce mandatory multi-factor authentication (e.g. with passkeys) for online services
- Implement rate limiting and anomaly detection for login attempts
- Implement [phishing](https://www.corbado.com/glossary/phishing) resistant authentication technology like
passkeys
### 3.8 Rogers Communications Data Breach (2015/2018/2020)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------------------------------- |
| Date | March 2015, 2018, and 2020 |
| Impacted Customer Number | Approximately 58,000 (2018); extent unclear in others |
| Breached Data | - Email addresses
- Business contact information
- Internal emails
- Customer account information |
Over a span of five years, Rogers Communications experienced multiple data breaches
involving both internal employee accounts and external customer records. The most
publicized incident occurred in 2015 when a hacker group named TeamHans published internal
Rogers data and email logs after an extortion attempt failed. Later breaches in 2018 and
2020 reportedly involved unauthorized access to customer accounts, but public details
remained limited. In at least one case, the leaked data appeared to originate from a
compromised employee account that had access to multiple business client records.
These recurring breaches reflect both external threats and internal control failures,
particularly around email security, access permissions, and timely detection of anomalies.
While the number of affected individuals was relatively moderate compared to larger-scale
incidents, the frequency and visibility of the attacks raised serious concerns about
Rogers’ overall cybersecurity posture.
**Prevention methods:**
- Implement email monitoring and anomaly detection tools
- Enforce privileged access restrictions for internal accounts
- Train employees to recognize and report social engineering attempts
### 3.9 Home Depot Canada Data Breach (2020)
| Details | Information |
| ------------------------ | ----------------------------------------------------------------------------------------- |
| Date | November 2020 |
| Impacted Customer Number | Exact number not disclosed (described as "small") |
| Breached Data | - Names
- Email addresses
- Order numbers
- Last four digits of payment cards |
In November 2020, Home Depot Canada experienced a data incident stemming from an internal
system error rather than a [cyber attack](https://www.corbado.com/glossary/cyber-attack). The issue led to
customers receiving dozens, in some cases hundreds, of mistaken emails containing order
confirmations meant for other people. These emails included partial
[payment](https://www.corbado.com/passkeys-for-payment) information and personal contact details. Although Home
Depot stated that only a small number of customers were affected, the nature of the
exposure created a potential vector for [phishing](https://www.corbado.com/glossary/phishing) or fraud.
This breach was a clear example of how operational glitches in automated systems can still
result in serious privacy concerns. It also illustrated the risks of not properly
validating outbound communications or segregating user data within systems that generate
customer-facing messages.
**Prevention methods:**
- Implement safeguards for outbound customer communications
- Conduct routine testing of order and email systems
- Use stricter access controls in customer-facing automation tools
### 3.10 TransUnion Canada Data Breach (2019)
| Details | Information |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
| Date | Disclosed October 2019 |
| Impacted Customer Number | Approximately 37,000 individuals |
| Breached Data | - Names
- Birthdates
- Credit and loan information
- Addresses (current and former)
- Possibly social insurance numbers |
In 2019, TransUnion Canada disclosed that the personal data of around 37,000 Canadians had
been accessed by a third party through the compromised login credentials of one of
TransUnion’s business customers. The attackers did not breach TransUnion’s systems
directly but instead exploited a legitimate user’s account to access highly sensitive
credit information. The breach persisted for approximately two months before being
detected.
This incident highlighted the significant risk that business partners and clients can pose
to data security, especially when they are given broad access to consumer data. It also
underlined the importance of verifying that enterprise clients adhere to security
standards that match the sensitivity of the data they’re allowed to access.
**Prevention methods:**
- Enforce strict third-party access policies and monitoring
- Apply multi-factor authentication for all partner accounts
- Use behavioral analytics to flag unusual access patterns
### 3.11 Nova Scotia Power Data Breach (2025)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Date | March 2025 (detected April 25) |
| Impacted Customer Number | Approximately 280,000 individuals |
| Breached Data | - Full names
- Dates of birth
- Email addresses and phone numbers
- Mailing and service addresses
- Driver’s license numbers (for some)
- Social Insurance Numbers (\~140,000 customers)
- Bank account details for pre-authorized payments
- Billing and credit history
- Power consumption data and service requests |
In March 2025, Nova Scotia Power experienced a [ransomware](https://www.corbado.com/glossary/ransomware) attack
that exposed the sensitive personal and financial information of nearly 280,000 customers
which is almost half of its customer base. The breach went undetected for over a month
before being identified in late April, by which time the stolen data had already been
published online. Unlike other cases, the utility refused to pay the ransom, citing legal
restrictions and guidance from law enforcement agencies.
The attack has drawn heavy scrutiny due to the scale and sensitivity of the data
collected, particularly the inclusion of Social [Insurance](https://www.corbado.com/passkeys-for-insurance)
Numbers (SINs) and bank details for pre-authorized [payments](https://www.corbado.com/passkeys-for-payment).
Experts questioned the necessity of storing such sensitive identifiers, given the
long-term risks of identity theft. Some affected customers have already received alerts
about their data circulating on the dark web. Although Nova Scotia Power offered two years
of free credit monitoring through TransUnion, critics argue that this is insufficient
protection for permanent data like SINs. Public backlash has prompted investigations by
the federal Privacy Commissioner, and executives are expected to testify before lawmakers
in early June. An investigation was launched under the Personal Information Protection and
Electronic Documents Act (PIPEDA).
**Prevention methods:**
- Minimize collection and retention of high-risk personal identifiers (e.g., SINs)
- Enforce strict access controls and endpoint protection against ransomware
- Continuously monitor systems with threat detection and response tools
- Maintain encrypted, immutable backups to support rapid recovery
## 4. Trends in Canadian Data Breaches
After looking at the biggest data breaches that happened in Canada up to 2025, we can
notice a few observations that reoccur across these breaches:
### 4.1 Insiders and internal Errors are a major Threat
Contrary to the dramatic image of hackers breaking through firewalls, many of the most
damaging breaches in Canada were caused by insider or by internal system
misconfigurations. These kinds of threats are especially difficult to detect because they
come from trusted sources within the organization. In some cases, like Desjardins, the
breach lasted over two years before being discovered. This highlights a critical gap in
how companies manage access and monitor internal activity. Implementing strong
[UBO](https://ondato.com/blog/ultimate-beneficial-ownership/) verification processes can
help organizations better identify and manage insider risks.
### 4.2 Simple Mistakes can have massive Consequences
Not all data breaches are the result of advanced cyber warfare. In fact, some of the most
widespread incidents came down to basic, fixable issues, such as unsecured databases,
poorly configured systems, undetected
[hidden spy apps](https://clario.co/blog/how-to-find-hidden-spy-apps-on-android/), or
forgotten security settings. These [vulnerabilities](https://www.corbado.com/glossary/vulnerability) often go
unnoticed until it’s too late, and yet they are among the easiest to prevent with regular
audits.
### 4.3 Ransomware has become one of the most Disruptive Cyber Threats
What once seemed like a niche cybercrime has now become a leading cause of data breaches
and operational shutdowns. Ransomware attacks, where malicious actors encrypt critical
systems and demand payment to restore access, have hit companies of all sizes, across
industries from [healthcare](https://www.corbado.com/passkeys-for-healthcare) to manufacturing. Beyond financial
loss, these attacks can stop day-to-day operations, damage customer trust, and create
long-term reputational harm.
### 4.4 No one is immune, even public Services are under Attack
Cyber attacks are no longer confined to the corporate world. We’ve seen breaches affect
hospitals, [government](https://www.corbado.com/passkeys-for-public-sector) agencies, law enforcement and
utilities. When these systems are disrupted, the consequences aren’t just digital but they
impact real people’s lives.
## 5. Conclusion
Canada’s growing list of data breaches reveals a clear and urgent truth: From large
[healthcare](https://www.corbado.com/passkeys-for-healthcare) providers and financial institutions to government
agencies and [retail](https://www.corbado.com/passkeys-for-e-commerce) giants, attackers are exploiting a wide
range of vulnerabilities. Technical gaps, insider threats, and even simple
misconfigurations are part of big data breaches. The consequences are not just financial
but deeply personal, affecting millions of Canadians whose data has been exposed or
stolen.
What stands out is how many of these breaches could have been prevented with fundamental
cybersecurity practices: strong access controls, employee training, regular system audits,
and secure configurations. At the same time, the increasing sophistication of ransomware
and [credential stuffing](https://www.corbado.com/glossary/credential-stuffing) attacks shows that basic defenses
aren’t enough. Organizations must continually evolve their security strategies, embracing
zero-trust models, advanced monitoring, and incident response plans.
## Frequently Asked Questions
### How did hackers access Canada Revenue Agency accounts in 2020 without directly breaching CRA systems?
Attackers used credential stuffing, feeding previously stolen username and password pairs
into the CRA login portal. Because users reused passwords and the CRA lacked widespread
multi-factor authentication, over 11,000 accounts were compromised, allowing attackers to
alter direct deposit details and apply for pandemic-related government benefits.
### Why did the Desjardins data breach go undetected for over two years?
A malicious insider collected and leaked data over at least 26 months without triggering
Desjardins' monitoring systems. The exfiltration was only uncovered after the federal
Privacy Commissioner became involved, ultimately exposing personal and financial details
of 9.7 million individuals, making it one of the most significant insider threat cases in
Canadian corporate history.
### What made Nova Scotia Power's 2025 ransomware attack uniquely severe compared to other Canadian breaches?
The attack exposed Social Insurance Numbers for approximately 140,000 customers and bank
account details for pre-authorized payments, covering nearly half the utility's customer
base. Stolen data was published online before detection, and critics argue the offered two
years of free credit monitoring is insufficient for permanent identifiers like SINs.
### How did the Yves Rocher 2019 Canadian data breach occur despite no direct hack of the company's own systems?
Researchers discovered an unprotected Elasticsearch database hosted by a third-party
provider, exposing records on approximately 2.5 million individuals with read/write access
and no authentication required. The incident shows that vendor and supply chain security
failures can directly expose customer data including confidential business information
like product formulas and store performance metrics.