Cyber criminals have reportedly exploited a Microsoft flaw to breach the Canadian House of Commons, leading to the exposure of sensitive staff information.
An internal email sent to employees, cited in a CBC News report, said that the House of Commons alerted staff on August 11 to the breach, and that an unknown threat actor exploited a recently disclosed Microsoft flaw to gain unauthorized access to sensitive data.
The hackers accessed a House of Commons database, with the compromised info including employees’ names, email addresses, job titles and work locations, along with details concerning their House of Commons-managed computers and devices.
With the data compromised, it could potentially be used for targeted phishing impersonation scams, of which the House of Commons employees have now been urged to stay vigilant for.
Canada’s Communications Security Establishment – who defines a threat actor as anyone acting with malicious intent to illicitly access or disrupt data, devices and networks – is aiding in the investigation of the cyber hit.
While a recent CSE report cites countries like Russia, China and Iran increasingly targeting Canada, the origin and identity of the House of Commons cyber attack, which occurred on August 15, remains unclear.
The House of Commons told staff that a “recent Microsoft vulnerability” had been exploited, and although this hasn’t been confirmed, it could be speculated that the attack was carried out through a recently identified flaw, confirmed by the tech giant.
Back in July, Microsoft announced that their SharePoint browser-based app – used for activities like sharing files and collaborating – contained a zero-day vulnerability (tracked as CVE-2025-53770) that was under active exploitation.
“Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild,” Microsoft warned on its website, and explained that it is “preparing and fully testing a comprehensive update” to patch the vulnerability.
Said to be a deserialization of untrusted data in on-premises Microsoft SharePoint Server, the vulnerability could be exploited by a cyber criminal to execute code over a network.
Cyber threats against Canada’s critical infrastructure have been on the increase over the past two years, from both profit-driven and state threat actors.
The most notable were cyber attacks against major airports and energy firms, beginning with Suncor Energy suffering a breach in June 2023 which impacted payment operations at Petro-Canada gas stations across the country.
In April 2025, electric utility Nova Scotia Power and its parent company Emera were struck by a cyber attack that impacted their IT systems and networks.
In September 2023, Air Canada, the country’s chief airline, saw the personal data of some of employees exposed following a breach.
Finally, in June of this year, another Canadian airline WestJet also became a target, with the attack impacting access to some of its internal systems and app.
With hackers and fraudsters constantly devising new schemes to steal personal and financial information, protecting your online lifestyle and business with trusted cyber security has never been more critical.
Our family of online protection tools offer industry-leading apps for all major desktop and mobile devices, with real-time scans from the Award-Winning TotalAV and dangerous content alerts from Total WebShield.
English 
Español 
Deutsch 
Français 
Italiano 
Nederlands 
Português 
Dansk 
Svenska 
Čeština 
Polski 
Türkçe 
Norsk bokmål