On September 9, 2025, the Government of Canada disclosed a data security incident involving its third-party multi-factor authentication (MFA) provider, 2Keys Corporation (a subsidiary of Interac). Officials initially described it as a “non-material privacy incident” involving phone numbers and email addresses
Follow-up reporting revealed that the scope was much larger: about 881,000 phone numbers tied to CRA and ESDC accounts and 85,000 email addresses tied to CBSA accounts were accessed. According to the National Post, criminals then sent over 881,000 phishing text messages containing links to spoofed Government of Canada websites. It’s not clear whether this figure reflects the total number of messages actually delivered, or the potential scale given the number of stolen phone numbers.
What Happened in the Interac 2Keys Data Breach?
When and How the Breach Occurred
Between August 3–15, 2025, a routine software update introduced a vulnerability in 2Keys’ MFA platform. This flaw was exploited before it was detected and patched.
What Data Was Exposed
The flaw exposed data for accounts at the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and Canada Border Services Agency (CBSA) and reportedly includes:
- 881,000 phone numbers
- 85,000 email addresses
How Attackers Exploited the Information
According to the National Post, criminals used the stolen data to send thousands of phishing/SMS messages. These messages linked to fake government websites designed to harvest login credentials. Government and Interac confirm phishing texts occurred but have not provided an official count.
What Does “Non-Material Privacy Incident” Mean?
The Regulatory Definition
A material incident is a breach exposing sensitive data (like SINs, banking details, or health records) that could reasonably cause harm.
A non-material incident is a breach involving less sensitive data (like emails or phone numbers) not expected — in theory — to cause significant harm on its own.
Why “Non-Material” Can Still Mean Real-World Risk
While regulators downplayed the breach, attackers weaponized the data almost immediately. Victims who clicked phishing links were just one step away from handing over real CRA, ESDC, or CBSA credentials. This gap between regulatory labels and attacker behavior is a critical lesson for businesses.
Why the 2Keys Breach Matters for Canadian Businesses
1) Vendor Risk Extends to Your Business
If a trusted provider like Interac can be compromised by a routine update, so can your vendors. Your cybersecurity is only as strong as your weakest link.
2) Even “Basic” Data Fuels Phishing and Fraud
Phone numbers and emails may seem harmless, but in attackers’ hands they enable phishing, credential theft, and fraud.
3) Transparency and Trust After a Breach
The government initially disclosed the breach but did not reveal its scale until pressed by journalists. Delayed disclosure erodes trust — something no SMB can afford with clients or partners.The government initially disclosed the breach but did not reveal its scale until pressed by journalists. Delayed disclosure erodes trust — something no SMB can afford with clients or partners.
Key Cybersecurity Lessons for SMBs from the 2Keys Breach
Vetting Third-Party Providers
Ask vendors how they secure authentication and sensitive data. Require proof of monitoring and incident response procedures.
Treating All Data as Valuable
Don’t dismiss contact details as low-risk. Train employees to recognize how “basic” data enables sophisticated phishing.
Layering Security Beyond MFA
MFA is essential, but not invincible. SMBs should also:
- Monitor logins for unusual activity
- Train staff to spot phishing attempts
- Use endpoint detection and response (EDR) tools
- Apply the principle of least privilege to minimize your attack surface
- Prepare an incident response plan
Conclusion: Protecting Your Business Against Vendor and Phishing Risks
The Interac-owned 2Keys breach shows how quickly “non-material” data can be weaponized — and how regulatory labels don’t always reflect real-world risk. For SMBs, the lesson is clear: don’t measure cybersecurity by what regulators say, measure it by how attackers can use the data.
At allCare IT, we help SMBs across Eastern Ontario stay ahead of threats with proactive monitoring, employee training, and layered security solutions.
Book a Cybersecurity Consultation to safeguard your business from the real-world risks your organization faces every day.