Imagine your bank, your grocery store, and your phone company all getting broken into the same week. Different burglars. Different methods. Same result: your personal information ends up in someone else's hands.

That's what happened in Canada between January and March 2026. Three of the country's most visible organizations confirmed major data breaches. All three affect millions of Canadians directly, whether as investors, consumers, or telecom subscribers.

The real question is: if someone asks you tomorrow whether the same thing could happen to your organization, do you have an answer?

What happened, in 90 days

On January 14, 2026, the Canadian Investment Regulatory Organization (CIRO) confirmed that a phishing attack, first detected in August 2025, had compromised the personal data of approximately 750,000 Canadian investors. We're talking about social insurance numbers, government-issued IDs, investment account numbers, and account statements. Not emails and names. Information that enables full identity theft. The attack vector? A targeted phishing email. Not a zero-day exploit. Not a sophisticated software vulnerability. An email. In Canada, according to IBM, phishing-related breaches cost an average of CA$7.91 million. It's the most expensive and most common attack vector.

On March 10, 2026, Loblaw, Canada's largest food and pharmacy retailer, reported that an intruder had accessed customer information including names, phone numbers, and email addresses. Loblaw called the incident minor. A threat actor disputed that characterization, claiming to hold 75.1 million Salesforce records, hundreds of millions of rows of pharmacy and e-commerce data, and source code. The investigation is ongoing.

On March 12, 2026, Telus Digital, the business process outsourcing arm of Canadian telecom giant Telus, confirmed a cybersecurity incident. The criminal group ShinyHunters claims to have stolen close to one petabyte of data, including customer service call recordings, financial records, source code, and employee background check results. ShinyHunters demanded US$65 million. Telus refused to negotiate.

What changed

Five years ago, a data breach typically meant an attacker found a technical vulnerability, exploited a misconfigured system, or stole a password. The pattern was simple: someone gets in, grabs what they can, and leaves.

What we're seeing in these three incidents is a fundamental shift in the criminal business model. CIRO wasn't targeted for its systems. It was targeted for the data it aggregates through its regulatory mandate. The organization holds information on 750,000 investors not because it manages their accounts, but because it oversees the dealers who do. The data had been collected for legitimate reasons, but the internal data architecture wasn't built for rapid breach response. The proof: it took over 9,000 hours of investigation and five months between detection and notification.

At Telus Digital, the attackers didn't need to find a direct way in. They recycled credentials stolen from a third-party vendor breach (Salesloft Drift), then used a credential-scanning tool to move from system to system for months before being detected. This is a textbook supply chain attack. According to IBM, supply chain breaches take an average of 267 days to resolve, the longest lifecycle of any attack vector.

The blind spot is duration. This is no longer a burglar who breaks in and leaves the same night. It's an intruder who moves in, explores, copies, and only reveals themselves when they choose to, usually to demand a ransom.

A Wednesday morning in Quebec City

Wednesday, 9:10 AM. The IT manager at a 250-employee engineering firm in Quebec City gets a call from the company's cloud service provider. Unusual activity has been detected in the firm's environments. Large volumes of data were transferred to an external destination over the past several weeks.

The IT manager calls the CEO. The initial investigation reveals that credentials belonging to a former subcontractor employee, never deactivated, were used to access the cloud environment. The attacker had access for 47 days before detection.

The compromised data includes employee records with social insurance numbers, service proposals containing contact information for 3,200 clients, and confidential exchanges with a public sector client. The IT manager has no documented incident response plan. He doesn't know who to call first. The regulator? The clients? The insurer? Under Quebec's Law 25, he's required to assess whether the incident poses a "risk of serious harm." If it does, the organization must notify the Commission d'accès à l'information (CAI) and affected individuals without delay, and record the incident in its breach registry. With social insurance numbers in the compromised data, the risk of serious harm would be hard to deny. Canada's federal privacy law, PIPEDA, imposes a similar obligation for organizations outside Quebec.

The cyber insurer's first question: did you have multi-factor authentication on all your cloud accounts? The answer is no, not on subcontractor service accounts. Coverage is now in question.

The public sector client wants to know if its own data was affected. It demands a written response within 48 hours and mentions the possibility of suspending current contracts.

This scenario is fictional, but every element is drawn from patterns documented in recent public incidents. The third-party credentials, the detection delays, the missing response plan: these are the same patterns that played out in all three Canadian breaches this quarter.

What it costs

Let's go back to our engineering firm. With 3,200 client records and an undetermined number of employee records compromised, we can estimate a ballpark figure.

According to IBM, the average cost per compromised record in Canada is around CA$180. For 3,200 client records, that puts the direct cost in the ballpark of CA$575,000. That figure doesn't include forensic investigation (expect CA$50,000 to CA$200,000), legal fees, breach notification costs, or lost contracts.

Then there are the costs that no spreadsheet captures. The IT manager working 18-hour days for three weeks. A four-person IT team absorbing crisis management on top of their normal workload. The stress of not knowing whether the data is being sold while you're still drafting notification letters. The CEO spending days on calls with worried clients instead of developing new business.

CIRO spent more than 9,000 hours on its investigation alone. For a 250-person organization, a breach of this complexity can paralyze operations for weeks.

Why mid-sized organizations are especially exposed

All three breaches this quarter hit organizations with the resources to maintain dedicated security teams. CIRO is a national regulator. Loblaw employs over 220,000 people. Telus is one of Canada's largest telecom providers. All three were compromised.

For a mid-sized company of 150 to 400 employees, the reality is harder. The IT manager often carries security responsibilities on top of day-to-day operations. There's no dedicated CISO. The security budget is a line item inside the IT budget, not a standalone function. Phishing awareness training happens once a year, when it happens at all.

Skill is rarely the problem. Time always is. When the same person manages the network, infrastructure projects, cloud migration, and security, something gets pushed back. And that something is usually the incident response plan, the vendor access review, or the MFA rollout on service accounts.

The Telus Digital breach makes this painfully clear: the attack started at a third-party vendor. Mid-sized companies that outsource services (and they all do) inherit the security risk of every vendor they grant access to.

Five questions to ask Monday morning

These three incidents illustrate weaknesses that most mid-sized organizations share. The phishing attack at CIRO, the third-party credentials at Telus Digital, the unauthorized access at Loblaw: any of these scenarios could play out at your organization.

Here are five questions to bring to your IT team this week.

Are all of our cloud accounts, including vendor and subcontractor accounts, protected by phishing-resistant multi-factor authentication?

Do we have a current inventory of all service accounts, including those created for vendors or employees who are no longer with us?

If we learned tomorrow that an attacker had been in our systems for six weeks, who do we call first? Do we have a documented and tested response plan?

Does our breach registry exist? Have we ever assessed an incident to determine whether it meets the threshold for mandatory notification under PIPEDA or applicable provincial privacy law?

When was the last time we ran a phishing simulation with our employees? A real test, tailored to our environment.

The answers to these questions don't require a multi-million-dollar budget. They require time. And the first step is asking them.

Mario Bouchard, M. Adm., CISSP — President, InfoSec Sécurité de l'information Inc. With over 25 years of experience in cybersecurity, he helps CISOs and IT leaders turn cybersecurity into a delivery accelerator rather than a roadblock. Based in Quebec City. infosecurite.com

Sources

Canadian Investment Regulatory Organization (CIRO) — Canadian Investment Regulatory Organization update regarding unauthorized access to some Canadian investors' data (January 14, 2026). Confirmation of phishing attack, number of affected investors (750,000), types of compromised data. ciro.ca
Investment Executive — CIRO's breach is a data-governance failure — not an IT glitch (January 19, 2026). Analysis of the 5-month gap between detection and notification, 9,000+ investigation hours, data governance issues. investmentexecutive.com
Loblaw Companies Limited — Loblaw Notifies Customers of a Low-Level Data Breach (March 10, 2026). Official notice confirming unauthorized access to basic customer information (names, phone numbers, emails). loblaw.ca
Salesforce Ben — '75M Salesforce Records Exposed' in Loblaw Breach: Hacker's Deadline Approaches (March 18, 2026). Threat actor claims regarding scope of stolen data (75.1M Salesforce records, pharmacy data, source code). salesforceben.com
BleepingComputer — Telus Digital confirms breach after hacker claims 1 petabyte data theft (March 12, 2026). Breach confirmation, attack vector details (GCP credentials from Salesloft Drift breach), US$65M ransom demand, types of compromised data. bleepingcomputer.com
IBM / Ponemon Institute — Cost of a Data Breach Report 2025 (July 2025). Average cost of phishing-related breaches in Canada (CA$7.91M), supply chain breach lifecycle (267 days). ibm.com/reports/data-breach