10 Biggest Data Breaches in Canada [2025]

Data breaches are on the rise in Canada, impacting multiple sectors and leading to growing concern among both citizens and organizations: Canadians are increasingly worried about data security, with 85% expressing concern and 66% reporting heightened anxiety compared to three years ago. This concern is amplified by high-profile breaches and emerging threats, such as state-sponsored cyber attacks and ransomware.

In 2024, the average cost of a data breach in Canada was $4.66 million USD which is slightly below the global average of $4.88 million USD. In this blog, we will take a closer look on the biggest data breaches in Canada and analyze how and why they happened.

Canada is an appealing target for data breaches, driven by a combination of factors that increase the vulnerability of its critical sectors, organizations and individuals to cybercriminal activity:

1. High-value data across industries: Canada’s healthcare, financial services, retail, and energy sectors manage large volumes of sensitive information, such as personal health records, financial transactions and payment data. This type of information is extremely valuable on the black market, positioning these industries as top targets for cybercriminals. The data is so valubale because it can be used for identity theft, insurance fraud or to access and drain bank accounts.

2. Geopolitical significance: Canada’s role in global alliances like the G7 and the Five Eyes intelligence partnership places it in the crosshairs of state-sponsored cyber activities. Different countries engage in advanced cyber espionage targeting Canadian government systems, aiming to collect intelligence and exfiltrate intellectual property. In addition, Canada is exposed to cyber threats from hostile states driven by its political affiliations.

In the following, you find a list of the largest data breaches in Canada. The data breaches are sorted by the number of impacted customer accounts in descending order.

In October 2019, LifeLabs fell victim to a significant ransomware attack that compromised the personal health data of nearly 15 million individuals, making it the largest reported breach in Canadian history by volume. The attackers gained unauthorized access to LifeLabs’ systems and exfiltrated sensitive information before demanding a ransom. The company confirmed it paid the ransom in an effort to secure the stolen data, though it could not verify whether the attackers had made copies. The breach sparked public concern not only due to the sensitivity of the data involved, but also because LifeLabs delayed notifying the public until December.

Investigations suggested that the breach may have resulted from outdated software, lack of end-to-end encryption, and poor monitoring of system vulnerabilities. The incident exposed significant weaknesses in LifeLabs’ cybersecurity posture, especially considering the critical nature of health data.

Prevention methods:

• Implement strong encryption and modernize outdated systems
• Use advanced intrusion detection and real-time monitoring tools
• Maintain secure, offline backups to avoid paying ransom

Desjardins Group, one of Canada’s largest financial cooperatives, suffered a massive insider caused data breach that exposed the personal and financial details of nearly 9.7 million individuals. The breach was discovered after an internal investigation revealed that a now-former employee had been collecting and leaking data over a period of at least 26 months. The information was being transferred outside the organization and was not detected by Desjardins’ monitoring systems until the federal Privacy Commissioner got involved.

The nature of this breach, rooted in abuse of legitimate internal access, highlighted systemic weaknesses in Desjardins’ internal controls, particularly around user activity monitoring, access rights, and data exfiltration alerts. It remains one of the most significant examples of an insider threat in Canadian corporate history, especially due to the duration of the breach and the sensitivity of the data compromised.

Prevention methods:

• Enforce strict access controls and least privilege policies
• Monitor and audit employee data access regularly
• Use behavioral analytics to detect unusual activity

In 2019, French cosmetics brand Yves Rocher experienced a significant data breach involving its Canadian customer base when researchers discovered an unprotected Elasticsearch database hosted by a third-party service provider. The exposed system contained records on approximately 2.5 million individuals, including both personal details and internal corporate data. Even more alarming was that the database’s configuration allowed read/write access, meaning unauthorized parties could have added, altered, or deleted information at will.

The breach was traced back to improper access permissions and a lack of authentication on a cloud-hosted platform used for managing customer and operational data. It demonstrated how supply chain and third-party vendor security mistakes can directly compromise even well-established brands. The exposed data included not just customer PII but also confidential business insights, such as store performance metrics and product composition data.

Prevention methods:

• Enforce strict security protocols for third-party vendors
• Secure cloud services with proper authentication and access controls
• Regularly audit exposed databases for misconfigurations

In December 2017, Nissan Canada Finance (NCF) reported a data breach that exposed the personal information of more than one million current and former customers who had leased or financed vehicles through the company. The breach involved unauthorized access to systems containing sensitive customer data, including financial and vehicle-specific information. The company acknowledged the breach after detecting unusual activity and launched a full-scale investigation with law enforcement and privacy authorities.

Though NCF did not publicly disclose the technical specifics of the attack, the type of data accessed suggests that the breach likely resulted from a compromise of backend systems, possibly via credential theft, poor network segmentation, or insufficient encryption protocols. To mitigate harm, NCF offered affected customers 12 months of free credit monitoring and identity theft protection.

Prevention methods:

• Strengthen backend system authentication (e.g. with phishing-resistant MFA) and segmentation
• Encrypt all customer data, especially financial information
• Monitor systems continuously for unauthorized access attempts

TIO Networks, a Canadian bill payment processor owned by PayPal, suffered a data breach in late 2017 after its systems were found to have vulnerabilities that allowed unauthorized access to customer records. After detecting unusual activity, PayPal suspended TIO’s operations and launched a formal investigation, revealing that hackers had infiltrated multiple areas of the network where sensitive data was stored. The compromised information included personally identifiable information and financial account details of approximately 1.6 million users.

The breach pointed to structural weaknesses within TIO’s infrastructure, including outdated security protocols and inadequate network segmentation. Because TIO’s systems were distinct from PayPal’s core architecture, the breach did not affect PayPal users directly, but it raised significant concerns about acquisition-related cybersecurity due diligence.

Prevention methods:

• Conduct comprehensive security audits during mergers and acquisitions
• Isolate and harden legacy systems from core networks
• Implement multi-layered access control and encryption for financial data

Bell Canada experienced two separate data breaches within an eight-month span, beginning in May 2017 when attackers accessed and leaked roughly 1.9 million email addresses and 1,700 customer names with phone numbers. A second breach in January 2018 compromised additional customer data, affecting up to 100,000 individuals. In both incidents, Bell claimed that no financial or password data had been accessed, though the details suggested a failure to prevent unauthorized entry to internal systems.

The attackers in at least one of the breaches publicly leaked the data and claimed the motive was to pressure Bell into cooperating with them, implying some form of extortion attempt. Bell was criticized for its delayed disclosure in both cases, as the initial breach was not immediately reported to customers. These events highlighted serious issues in Bell’s data governance, breach detection capabilities, and customer communication practices.

Prevention methods:

• Apply real-time monitoring and incident response protocols
• Limit external access points and tighten perimeter defenses
• Implement customer breach notification procedures with clear timelines

In August 2020, the Canada Revenue Agency (CRA) fell victim to two separate cyberattacks that together led to the compromise of more than 11,000 individual online accounts. The attacks took advantage of a credential stuffing technique, where hackers used previously stolen usernames and passwords from unrelated breaches to gain access to CRA accounts. Once inside, attackers were able to view sensitive taxpayer information, change direct deposit details, and, in some cases, apply for pandemic-related government benefits.

The breach exposed significant flaws in both user-side practices (such as password reuse) and system-level security controls at the CRA. The absence of widespread multi-factor authentication and real-time detection of suspicious activity allowed the attackers to exploit a common vector on a large scale, despite it being a well-known method of attack.

Prevention methods:

• Enforce mandatory multi-factor authentication (e.g. with passkeys) for online services
• Implement rate limiting and anomaly detection for login attempts
• Implement phishing resistant authentication technology like passkeys

Over a span of five years, Rogers Communications experienced multiple data breaches involving both internal employee accounts and external customer records. The most publicized incident occurred in 2015 when a hacker group named TeamHans published internal Rogers data and email logs after an extortion attempt failed. Later breaches in 2018 and 2020 reportedly involved unauthorized access to customer accounts, but public details remained limited. In at least one case, the leaked data appeared to originate from a compromised employee account that had access to multiple business client records.

These recurring breaches reflect both external threats and internal control failures, particularly around email security, access permissions, and timely detection of anomalies. While the number of affected individuals was relatively moderate compared to larger-scale incidents, the frequency and visibility of the attacks raised serious concerns about Rogers’ overall cybersecurity posture.

Prevention methods:

• Implement email monitoring and anomaly detection tools
• Enforce privileged access restrictions for internal accounts
• Train employees to recognize and report social engineering attempts

In November 2020, Home Depot Canada experienced a data incident stemming from an internal system error rather than a cyber attack. The issue led to customers receiving dozens, in some cases hundreds, of mistaken emails containing order confirmations meant for other people. These emails included partial payment information and personal contact details. Although Home Depot stated that only a small number of customers were affected, the nature of the exposure created a potential vector for phishing or fraud.

This breach was a clear example of how operational glitches in automated systems can still result in serious privacy concerns. It also illustrated the risks of not properly validating outbound communications or segregating user data within systems that generate customer-facing messages.

Prevention methods:

• Implement safeguards for outbound customer communications
• Conduct routine testing of order and email systems
• Use stricter access controls in customer-facing automation tools

In 2019, TransUnion Canada disclosed that the personal data of around 37,000 Canadians had been accessed by a third party through the compromised login credentials of one of TransUnion’s business customers. The attackers did not breach TransUnion’s systems directly but instead exploited a legitimate user’s account to access highly sensitive credit information. The breach persisted for approximately two months before being detected.

This incident highlighted the significant risk that business partners and clients can pose to data security, especially when they are given broad access to consumer data. It also underlined the importance of verifying that enterprise clients adhere to security standards that match the sensitivity of the data they’re allowed to access.

Prevention methods:

• Enforce strict third-party access policies and monitoring
• Apply multi-factor authentication for all partner accounts
• Use behavioral analytics to flag unusual access patterns

After looking at the biggest data breaches that happened in Canada up to 2025, we can notice a few observations that reoccur across these breaches:

Contrary to the dramatic image of hackers breaking through firewalls, many of the most damaging breaches in Canada were caused by insider or by internal system misconfigurations. These kinds of threats are especially difficult to detect because they come from trusted sources within the organization. In some cases, like Desjardins, the breach lasted over two years before being discovered. This highlights a critical gap in how companies manage access and monitor internal activity.

Not all data breaches are the result of advanced cyber warfare. In fact, some of the most widespread incidents came down to basic, fixable issues, such as unsecured databases, poorly configured systems, or forgotten security settings. These vulnerabilities often go unnoticed until it’s too late, and yet they are among the easiest to prevent with regular audits.

What once seemed like a niche cybercrime has now become a leading cause of data breaches and operational shutdowns. Ransomware attacks, where malicious actors encrypt critical systems and demand payment to restore access, have hit companies of all sizes, across industries from healthcare to manufacturing. Beyond financial loss, these attacks can stop day-to-day operations, damage customer trust, and create long-term reputational harm.

Cyber attacks are no longer confined to the corporate world. We’ve seen breaches affect hospitals, government agencies, law enforcement and utilities. When these systems are disrupted, the consequences aren’t just digital but they impact real people’s lives.

Canada’s growing list of data breaches reveals a clear and urgent truth: From large healthcare providers and financial institutions to government agencies and retail giants, attackers are exploiting a wide range of vulnerabilities. Technical gaps, insider threats, and even simple misconfigurations are part of big data breaches. The consequences are not just financial but deeply personal, affecting millions of Canadians whose data has been exposed or stolen.

What stands out is how many of these breaches could have been prevented with fundamental cybersecurity practices: strong access controls, employee training, regular system audits, and secure configurations. At the same time, the increasing sophistication of ransomware and credential stuffing attacks shows that basic defenses aren’t enough. Organizations must continually evolve their security strategies, embracing zero-trust models, advanced monitoring, and incident response plans.