The House of Commons of Canada is investigating a significant data breach following a cyberattack on August 9, 2025. The incident, attributed to exploitation of Microsoft Exchange vulnerabilities (CVE-2025-53770 and CVE-2025-53786), compromised employee names, job titles, email addresses, and device management data1. The Communications Security Establishment (CSE) has warned of potential impersonation scams leveraging the stolen data, with suspicions pointing to state-sponsored actors2.
Attack Vector and Technical Details
The attackers exploited unpatched Microsoft Exchange servers, a recurring issue in Canadian government networks. CSE’s 2025 Threat Assessment notes over 800 vulnerable Exchange servers in Canada, with CVE-2025-53770 (ToolShell) and CVE-2025-53786 (Exchange) actively used for ransomware and espionage1. The breach involved:
- Data Exfiltrated: Employee PII (names, titles, emails) and device management logs.
- Tactics: Credential harvesting via phishing lures linked to the stolen email addresses.
- Attribution: CSE’s preliminary analysis suggests APT41 (China) or Cozy Bear (Russia) involvement, based on TTPs like Malleable C2 profiles and DNS-over-HTTPS beaconing3.
Response and Mitigation
The House of Commons partnered with CSE’s Canadian Centre for Cyber Security (CCCS) to contain the breach. Key steps included:
- Isolating affected Exchange servers and applying Microsoft’s August 2025 patches.
- Enforcing mandatory MFA for all parliamentary accounts.
- Deploying CSE’s Network Traffic Analysis tools to monitor for lateral movement.
CSE has also issued alerts to critical infrastructure operators, emphasizing patch prioritization for CVE-2025-53770, which has a CVSS 9.1 score1.
Broader Implications for Canadian Cybersecurity
This incident follows a pattern of high-profile attacks in 2025, including the WestJet breach (June 2025) and 23andMe credential-stuffing incident4. The CSE reports a 40% YoY increase in state-sponsored attacks targeting Canadian entities, with healthcare and energy sectors at particular risk5.
| Incident | Vector | Data Compromised |
|---|---|---|
| House of Commons (Aug 2025) | Microsoft Exchange | Employee PII |
| WestJet (Jun 2025) | Third-party vendor | Passenger records |
Recommendations for Organizations
Based on CSE’s advisories2:
“All federal agencies must complete emergency patching of CVE-2025-53770 by August 31, 2025, and submit incident response plans to CCCS.”
Additional measures include:
- Auditing Exchange Server logs for
ToolShellprocess injection artifacts. - Implementing Cobalt Strike detection rules for Malleable C2 profiles.
- Conducting purple team exercises to test detection of APT tradecraft.
The House of Commons breach underscores systemic vulnerabilities in government IT infrastructure. With CSE attributing 20+ breaches since 2021 to Chinese state actors1, proactive patch management and threat simulation are critical for national security.
References
- “House of Commons confirms data breach linked to Microsoft flaws,” CBC News, Aug. 12, 2025.
- “Canada’s House of Commons investigating data breach after cyberattack,” Bleeping Computer, Aug. 11, 2025.
- “House of Commons hit by cyberattack, threat actor steals employee data,” Yahoo News, Aug. 10, 2025.
- “Joint investigation into 23andMe breach,” Office of the Privacy Commissioner of Canada, Jun. 17, 2025.
- “Nova Scotia MOVEit breach disclosure,” Government of Nova Scotia, May 31, 2023.
