5 Cybersecurity Breaches Caused by Staff Errors and Phishing Attacks

Cybersecurity isn’t just about technology—it’s about people. In 2025, Canadian organizations have faced a wave of cyberattacks that exploited staff mistakes, phishing emails, and social engineering tactics. These incidents serve as cautionary tales for business owners, IT leaders, and public sector managers alike.

1. House of Commons Breach via Microsoft Exploit

In August 2025, attackers exploited a critical Microsoft SharePoint vulnerability to infiltrate the House of Commons network. The breach exposed sensitive employee data, including names, job titles, office locations, and device information. Experts warned that this data could be used for targeted phishing and impersonation attacks against parliamentarians and staff. The incident prompted a national security investigation and a call for heightened vigilance.

2. Government MFA Provider Compromised

A cyberattack on 2Keys Corporation, a third-party provider of multi-factor authentication (MFA) services for federal agencies like the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC), exposed phone numbers and email addresses linked to government accounts. The attacker used this contact data to send phishing text messages impersonating official government websites. Although no sensitive data was stolen, the breach highlighted the risks of third-party vulnerabilities.

3. Retail Chain Employee Falls for Fake IT Call

A Canadian retail chain faced a serious breach when a store manager received a call from someone posing as corporate IT support. The caller convinced the manager to install remote access software, giving attackers control over point-of-sale systems and customer data across multiple locations. The breach was traced to a social engineering campaign targeting regional staff, and led to a company-wide overhaul of verification protocols.

4. Healthcare Staff Clicks on Malicious Survey Link

An Ontario-based healthcare provider suffered a breach when an employee clicked on a fake internal survey email. The link installed malware that spread across the network, disrupting patient scheduling and exposing confidential health records. The incident cost the organization over $500,000 in recovery and compliance fines, and emphasized the need for ongoing staff cybersecurity training.

5. City Government in Alberta Hit by Credential Theft

In July 2025, a municipal government in Alberta was targeted by a phishing campaign that tricked staff into revealing login credentials. The attackers used these credentials to access internal systems and exfiltrate sensitive documents. The breach disrupted city services and led to a temporary shutdown of online portals. Officials responded by implementing stricter access controls and mandatory phishing simulations for all employees.

Final Thoughts

These incidents show that phishing and staff errors remain among the most effective tools for cybercriminals. For Canadian organizations, the lesson is clear: cybersecurity must go beyond firewalls and software—it must include people, processes, and proactive education. Investing in staff awareness, secure authentication, and vendor oversight is essential to building a resilient digital foundation.