Canada’s House of Commons is notifying members and staff of a data breach that stemmed from a recent Microsoft vulnerability.
According to an internal email obtained by CBC.ca, the data leak occurred on Friday, August 8, 2025. It allowed the threat actor to access a database containing personal information.
Microsoft vulnerability data breach leaks House of Commons members’ information
The data breach notification disclosed that the attackers accessed personal details, including the employees’ names, email addresses, job titles, and office locations.
It also leaked their House of Commons-managed device information, such as device types, telephone numbers, operating systems, models, serial numbers, and mobility service providers.
While limited, the leaked information could expose lawmakers and legislative staff members to phishing, social engineering attacks, and tech support scams.
“The most significant and immediate impact of this data exposure is the heightened risk of future cyberattacks,” said Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka. “The exposed data could be used in targeted scams, such as phishing or vishing attacks, or to impersonate parliamentarians and other employees. For government agencies, the breach of employee data is not just a concern, but a direct and critical threat to national security that must be addressed with utmost urgency.”
Subsequently, legislators and employees were advised to remain vigilant for potential phishing attacks by fraudsters attempting to impersonate lawmakers or staff members.
Meanwhile, the House of Commons and Canadian Communications Security Establishment (CSE) have yet to disclose the Microsoft vulnerability exploited during the attack. Similarly, the identity of the threat actor remains unknown.
However, Chinese state-sponsored threat actors were observed exploiting the ToolShell Microsoft vulnerability to target government entities and other organizations of geopolitical significance.
While China poses the greatest threat, Russia, Iran, and North Korea also target the United States’ northern neighbor.
So far, known victims of the Microsoft vulnerability exploit include the United States’ National Nuclear Security Administration (NNSA) and the National Institutes of Health (NIH).
The U.S. Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly were also breached via the ToolShell Microsoft vulnerability.
Tracked as CVE-2025-53770 and CVE-2025-53786, the Microsoft vulnerability chain affects unpatched on-premises SharePoint Servers.
In July 2025, Microsoft released emergency updates and urged organizations to apply the recommended fixes to prevent exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had also directed the executive branch to apply security fixes to prevent exploitation of its hybrid cloud environments.
Ransomware groups and Chinese-linked threat actors have also previously exploited Microsoft Exchange vulnerability CVE-2025-53786 in widespread attacks.
“In recent weeks, vulnerabilities in Microsoft platforms like Exchange and SharePoint have led to data breaches at several major organizations, including Google and the US Department of Health and Human Services,” said Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ. “Reports indicate that ransomware groups, such as Salt Typhoon and Warlock, have exploited these vulnerabilities to attack nearly 400 organizations.”
Meanwhile, CSE has confirmed the data breach and said it was assisting the House of Commons in responding to the cyber attack. Nevertheless, full attribution of the cyber attack was a work in progress.
“Attribution of a cyber incident is difficult. Investigating cyber threat activity takes resources and time, and there are many considerations involved in the process of attributing malicious cyber activity,” CSE stated.
Similarly, the total number of individuals impacted by the Canadian House of Commons cyber attack remains unknown.
Canada faces increased cyber attacks
The House of Commons data breach occurred amid increased cyber attacks targeting Canada’s key industries and critical infrastructure.
In four years, Chinese state-linked threat actors have breached 20 Canadian government networks, according to the country’s Cyber Threat Assessment 2025-2026 report.
In June 2025, a cyber attack hit Canada’s WestJet, disrupting the company’s internal operations and customer-facing apps.
In April 2025, power utilities Emera and its subsidiary Nova Scotia suffered a coordinated cyber attack that disrupted operations, causing billing issues.
In September 2023, a data breach affecting the country’s national carrier, Air Canada, also leaked the personal information of employees. In June of the same year, Suncor Energy faced billing issues after experiencing a cyber attack.
“As threat actors continue to exploit these Microsoft vulnerabilities, it’s imperative that governing bodies take proactive steps to safeguard data,” Sood continued. “Implementing zero-trust architecture, segmenting networks, and promptly patching vulnerabilities are crucial to restricting the lateral movement of ransomware, as well as regular red-teaming, third-party risk assessments, and cyber resilience drills.”
