House of Commons of Canada Data Breach via Microsoft Vulnerability (August 2025)
Figure 1: Cyberattack illustration of Canada’s Parliament (image generated by ChatGPT).
If you think hackers only go after banks or tech companies then think twice. Turns out, they have a thing for Parliaments too. According to a CBC News report, in August 2025 Canada’s House of Commons was struck by a cyberattack that caused a significant data breach.
The House of Commons broke the news out to staff via email, alerting them that there had been an information breach. Apparently, a malicious actor was able to penetrate their database via a Microsoft vulnerability. Some information the hacker obtained has not been made public. The data included employees’ names, job titles, office locations and email addresses, as well as information regarding their House of Commons-managed devices.
Canada’s Communications Security Establishment (CSE) confirmed that they are very much aware of the attack and are working with the House of Commons for support, but have not yet pinpointed who was behind it.
A recent threat report from the CSE says that adversarial nations like China, Russia and Iran are increasingly behind cyber threats to Canada. But, they say it’s too early to tell who or what is behind this particular breach.
“Attribution of a cyber incident is difficult. Investigating cyber threat activity takes resources and time, and there are many considerations involved in the process of attributing malicious cyber activity,” said in a a CSE statement
In the meantime, CSE has called on members of the House of Commons to stay vigilant as the information that has been accessed during this breach could be used for scams, blackmail and impersonation of politicians.
This is still an ongoing investigation that the House of Commons in collaboration with national security partners is conducting, but they have not released any information as to how many employees were affected.
Why is this a threat?
- Government officials are high value targets: Beyond personal details, they hold highly sensitive data that could be exploited
- Metadata is quite important to protect; operating systems, serial numbers might sound trivial but if they fall into wrong hands, they can cause serious issues
- It would be very difficult for the public to trust the government since those that make the laws cannot protect their own systems.
It’s quite ironic that the policy makers and politicians who are always adamant that the public protect their data and be cyber smart are the very ones that have now fallen short. I believe Canada has privacy laws like (PIPEDA) is it that those laws are not active when it comes to the government getting breached?
What is more concerning is the lack of transparency. Neither the attacker’s identity nor the extent of the breach has been disclosed. That raises public suspicions and skepticism about government institutions.
Solutions and Preventive Measures
- They should have a zero-trust architecture (trust nothing, verify or double check everything!)
- Use device attestation and MFA so leaked metadata is not enough for attackers to use.
- Increase their transparency when breaches happen, citizens deserve the honesty, not silence.
Hackers penetrating these systems is not just a problem for Canada, it’s a global wake-up call. Cybersecurity needs to be taken quite seriously and not just tucked under the general IT budget. If lawmakers really want citizens to be cyber aware, then they need to lead by example. They need to protect data and prove they aren’t the weakest link.
References
CBC News. (2025, August 8). House of Commons warns of data breach involving employee information. Retrieved September 18, 2025, from https://www.cbc.ca/news/politics/house-of-commons-data-breach-1.7608061
The Personal Information Protection and Electronic Documents Act (PIPEDA) — Office of the Privacy Commissioner of Canada
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/ priv.gc.ca
Great post!!!
I really enjoyed your post, Cooper. This is a wakeup call for everyone, not just the government. If our lawmakers, who set the rules on data protection can fall victim to these attacks then who are we? These clearly shows how devious attackers can be. Sincerely hope this leads to stronger security measures
I fully agree that transparency and active security, such as zero-trust models and multi-factor authentication, are essential for regaining public trust. It is ironic, yet also indicative, that the individuals who establish policies for data protection must also begin to lead by example and demonstrate how cybersecurity matters. This is a sharp reminder around the world that we need much stronger, more transparent cyber defenses at all levels of government. Thank you for clarifying that!
Great job Cooper!!. Reading this post alongside our earlier conversations on government cyber security and privacy really shows how weak and vulnerable even high level systems can be. It is also worrying that lawmakers who they themselves always preach the importance of data privacy and protection can be targets themselves. This is making me to reflect on the bigger implications for everyone trust in institutions and the need for strong security practices.
Thank you for this post, Cooper! It just goes to show that everything and everyone is hackable, and continuously promotes the known idea that people are the weakest links in terms of security. Asides from hacking large establishments like banks, and the government, hackers also hack people. For example, if a target of a hack’s allergies are known to a hacker via socially engineering their loved ones, then that hacker can use that information against the person for things that are more sinister than we might think.
While I do agree that transparency may be equally as important as the breach itself, I wonder if the nature of the information that was hacked played into the reason why such information(s) were not made public? For example, we know that highly classified and sensitive information is typically assessed and handled by governmental bodies, with a process set in place for incident response. Perhaps letting the public know that the House of Commons was hacked was the appropriate extent to which they could share that news?
It definitely makes sense that the public would trust them more, but these things may not be as black and white as we might think. There’s a lot of grey areas that an incident like this poses especially when it has to do with a governmental body like the HoC.
Thank you again for your write up! It was truly insightful and engaging for me.