Published September 29, 2025

Interac’s 2Keys MFA Breach: What Canadian Businesses Can Learn from a Federal Phishing Incident

A flaw in Interac’s 2Keys MFA exposed nearly one million Canadian accounts to phishing. Officials called it “non-material,” but the attack shows how even phone numbers and emails can fuel fraud — and why SMBs must strengthen defenses.

Share Article

On September 9, 2025, the Government of Canada disclosed a data security incident involving its third-party multi-factor authentication (MFA) provider, 2Keys Corporation (a subsidiary of Interac). Officials initially described it as a “non-material privacy incident” involving phone numbers and email addresses

Follow-up reporting revealed that the scope was much larger: about 881,000 phone numbers tied to CRA and ESDC accounts and 85,000 email addresses tied to CBSA accounts were accessed. According to the National Post, criminals then sent over 881,000 phishing text messages containing links to spoofed Government of Canada websites. It’s not clear whether this figure reflects the total number of messages actually delivered, or the potential scale given the number of stolen phone numbers.

 


 

What Happened in the Interac 2Keys Data Breach?

 

When and How the Breach Occurred

Between August 3–15, 2025, a routine software update introduced a vulnerability in 2Keys’ MFA platform. This flaw was exploited before it was detected and patched.

What Data Was Exposed

The flaw exposed data for accounts at the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and Canada Border Services Agency (CBSA) and reportedly includes:

  • 881,000 phone numbers
  • 85,000 email addresses

How Attackers Exploited the Information

According to the National Post, criminals used the stolen data to send thousands of phishing/SMS messages. These messages linked to fake government websites designed to harvest login credentials. Government and Interac confirm phishing texts occurred but have not provided an official count.

 


 

What Does “Non-Material Privacy Incident” Mean?

 

The Regulatory Definition

Icon Question MarkA material incident is a breach exposing sensitive data (like SINs, banking details, or health records) that could reasonably cause harm.

A non-material incident is a breach involving less sensitive data (like emails or phone numbers) not expected — in theory — to cause significant harm on its own.

Why “Non-Material” Can Still Mean Real-World Risk

While regulators downplayed the breach, attackers weaponized the data almost immediately. Victims who clicked phishing links were just one step away from handing over real CRA, ESDC, or CBSA credentials. This gap between regulatory labels and attacker behavior is a critical lesson for businesses.

 


 

Why the 2Keys Breach Matters for Canadian Businesses

 

1) Vendor Risk Extends to Your Business

If a trusted provider like Interac can be compromised by a routine update, so can your vendors. Your cybersecurity is only as strong as your weakest link.

2) Even “Basic” Data Fuels Phishing and Fraud

Phone numbers and emails may seem harmless, but in attackers’ hands they enable phishing, credential theft, and fraud.

3) Transparency and Trust After a Breach

The government initially disclosed the breach but did not reveal its scale until pressed by journalists. Delayed disclosure erodes trust — something no SMB can afford with clients or partners.The government initially disclosed the breach but did not reveal its scale until pressed by journalists. Delayed disclosure erodes trust — something no SMB can afford with clients or partners.

 


 

6 Cyber Security tips to protect your online accounts

Key Cybersecurity Lessons for SMBs from the 2Keys Breach

 

Vetting Third-Party Providers

Ask vendors how they secure authentication and sensitive data. Require proof of monitoring and incident response procedures.

Treating All Data as Valuable

Don’t dismiss contact details as low-risk. Train employees to recognize how “basic” data enables sophisticated phishing. 

Layering Security Beyond MFA

MFA is essential, but not invincible. SMBs should also:

 


 

Conclusion: Protecting Your Business Against Vendor and Phishing Risks

 

Kingston Cybersecurity Response Team ResizeThe Interac-owned 2Keys breach shows how quickly “non-material” data can be weaponized — and how regulatory labels don’t always reflect real-world risk. For SMBs, the lesson is clear: don’t measure cybersecurity by what regulators say, measure it by how attackers can use the data.

At allCare IT, we help SMBs across Eastern Ontario stay ahead of threats with proactive monitoring, employee training, and layered security solutions.

Book a Cybersecurity Consultation to safeguard your business from the real-world risks your organization faces every day.