A cyberattack on a supplier just exposed the health records of 200,000 home-care patients in Ontario, and the government didn't start at the top of the supply chain. A critical flaw in widely-used VPN software is being actively exploited by ransomware gangs right now. Canada officially has no federal AI law, and that gap is widening fast. And if you've ever shopped at Canadian Tire, SportChek, or Mark's online, there's something you should check this weekend. Let's get into it.
🗞️ STORY OF THE WEEK
It Wasn’t Ontario Health That Got Hacked. It Was Their Supplier.
Here's a scenario small business owners should study carefully, not because it happened to you, but because the exact same dynamic could.
Ontario Health atHome coordinates home-care services for hundreds of thousands of Ontarians. They work with vendors. One of those vendors, Ontario Medical Supply, experienced a cyberattack. And because that vendor held data on behalf of Ontario Health atHome, approximately 200,000 home-care patients may now have had their names, contact information, and medical supply or equipment details exposed.
One-third of all home-care patients in Ontario. Exposed through a supplier.
Ontario Health atHome didn't fail its own security audit. They hired a vendor. The vendor got attacked. And the patients, including some of Ontario's most vulnerable people, are the ones absorbing the consequences. The Information and Privacy Commissioner's office was notified. The government confirmed the breach only after questions were raised in the legislature.
This is called third-party risk, and it's one of the most underappreciated threats in small business security. The logic is straightforward but easy to overlook: when you hand your data to a bookkeeper, a payroll provider, a CRM platform, a shipping company, or any other supplier, their security posture becomes your exposure. Their breach becomes your breach. Their notification letter lands in your customers' mailboxes, with your name on it.
The complicating factor is that most small businesses don't have the leverage or the resources to audit every vendor thoroughly. But they can ask the right questions, and use the answers to decide who deserves their data.
Why this matters to you
Think about every external service your business uses that touches customer or employee data. Your accounting software. Your HR platform. Your email marketing marketing tool. Your website hosting provider. Your courier. Each one is a vendor. Each one is a potential breach point that you don’t control. If any of them were attacked tonight, would you know? Would you have the records to notify your customers? Do you even know which customers’ data sits where?
What you can do right now
This week, make a list of every third party that holds data on your behalf, even informally. For each one, ask two questions: “What do they have?” and “Have they had a breach in the last 12 months?” You don’t need a formal vendor risk assessment. A direct email or phone call asking those questions tells you more than most people expect. Vendors that can’t or won’t answer are telling you something important.
⚡THE RIPPLE EFFECT - Three stories, and what they actually mean for your business
Canada Still Has No Federal AI Law. And That Vacuum Is Getting Wider
Canada’s Artificial Intelligence and Data Act (AIDA) died when Bill C-27 was abandoned at prorogation, and it has not been reintroduced. What remains in 2026 is a patchwork: PIPEDA (which barely mentions AI), Quebec's Law 25 (which has some automated-decision obligations), and a loose collection of sector guidance from regulators. Prime Minister Carney's "AI for All" strategy launched this month has ambitious economic targets but no binding rules. Meanwhile, the EU AI Act becomes fully enforceable August 2 and Texas has now enacted standalone AI legislation, making Canada's regulatory inaction increasingly conspicuous.
What it means for you: No law doesn’t mean no risk. Businesses using AI for hiring, credit decisions, customer service, or pricing may still face liability under existing privacy law, sector regulations, and evolving common law. The practical takeaway: don’t wait for Ottawa to define what good AI governance looks like. Start with an inventory, which AI tools are you using, what decisions to they influence, and what data do they touch? The businesses building good habits now will have the easiest time when binding rules do arrive.
38 Million Canadian Accounts Are in a Breach Database Worth Checking
This one isn’t new news, but it’s news many Canadians still haven’t acted on. In October 2025, attackers accessed the e-commerce database behind Canadian Tire, SportChek, Mark’s and Party City online accounts. The stolen data, 42 million records containing 38.3 million unique email addresses, along with names, home addresses, phone numbers, and partial credit card details for some accounts, was loaded into Have I Been Pwned in February 2026. If you haven’t checked whether your email address is in that database, this is a good weekend to do it. The site is free, takes 30 seconds, and tells you every breach your address has appeared in. One more detail worth knowing: 86% of exposed email addresses had already appeared in previous breaches, meaning attackers are combining datasets and building increasingly detailed profiles of Canadian consumers.
What it means for you: Go to haveibeenpwned.com and check your business email, personal email, and any address your team uses to manage business accounts. If your email appears in the Canadian Tire breach, change any passwords you’ve reused across accounts and turn on two-factor authentication on those platforms. This takes under ten minutes and is worth doing.
Your VPN Might Be the Door Ransomware Walks Through
Check Point disclosed a critical authentication-bypass vulnerability in its Remote Access VPN this week, and it’s being actively exploited in the wild. At least one confirmed intrusion has been linked to a Qilin ransomware affiliate. The flaw affects Check Point’s Remote Access VPN, Mobile Access, and Spark Firewall products when using an old key exchange protocol. That last detail matters: Check Point Spark firewalls are specifically marketed to small and medium sized businesses. CISA issued an emergency patch directive, and exploitation activity has been traced back to early May, meaning attackers may have already been inside some networks for six weeks before the vulnerability was publicly known.
What it means for you: VPNs are often treated as set-it-and-forget-it infrastructure. This story is a reminder that they’re one of the highest value targets for initial access, because once an attacker is inside the VPN, they’re “trusted”. If your business uses Check Point equipment or any VPN product, ask your IT provider today: “Has this been patched, and have you reviewed access logs back to early May?” If they can’t answer immediately, that’s worth pressing.
$6.98M
That’s the average cost of a data breach in Canada in 2026
- up 10.4% from last year.
There's a number security professionals use when making the business case for cybersecurity investment, and for Canada, it just went up again. The Canadian Centre for Cyber Security confirmed this week that the average Canadian data breach now costs nearly $7 million, accounting for incident response, legal fees, regulatory notifications, reputational damage, and lost business. That's not just a large-enterprise number. It reflects mid-sized and smaller businesses too. And the trend is moving in the wrong direction.
Ransomware is the primary driver, and the leading groups targeting Canadian businesses right now are Akira, Play, and Medusa. Increasingly, these groups skip the encryption step entirely and go straight to data theft and extortion, because many businesses have learned to restore from backups, but haven't yet learned to prevent the quiet data exfiltration that happens first.
✅ ONE THING TO DO THIS WEEK
Map Who Has Your Data, Before Someone Else Does
This week's Story of the Week is really a vendor story. Ontario Health atHome didn't lose 200,000 patients' data because their own systems failed, they lost it because a supplier's systems failed.
Most small businesses have the same exposure and don't know it.
Here's a quick exercise that takes about 20 minutes and is worth doing once a year. Open a blank document or spreadsheet and answer this question for each tool and service your business uses: Does this vendor hold data about our customers, our employees, or our finances?
Go through your accounting software, your payroll provider, your email marketing platform, your CRM, your bookkeeper, your shipping or courier service, your website hosting company, your IT provider, and any software your team uses to communicate with clients. For each one that holds data, write down: what kind of data, how many people it covers, and whether you've ever confirmed they have a security program or breach notification process.
Most businesses have never done this exercise. The ones that have are dramatically better prepared when a supplier calls to say something went wrong.
If you want to take it one step further, send your three most data-rich vendors a short email this week: "We're reviewing our vendor security posture. Can you confirm whether you've had any security incidents in the last 12 months, and whether you carry cyber insurance?" Their response, or non-response, is useful information.
"You can't control what happens inside a vendor's walls. But you can control which vendors get your data, and whether you'd know if something went wrong."
📌 QUICK BITES
Ottawa is paying $8.7 million to settle a hack that happened six years ago. In 2020, criminals used credential-stuffing attacks to compromise over 12,000 CRA accounts, stealing COVID relief funds and tax refunds. The federal government has now agreed to pay $8.7 million to settle the resulting class action. The lesson for small businesses: breach liability doesn't end when the incident ends. Legal and financial consequences can follow for years, long after the news cycle has moved on.
75,000 Fortinet firewall logins are being sold on criminal forums right now. Criminals are selling recently-harvested admin credentials for Fortinet FortiGate edge firewalls, the devices that sit between the internet and your office network. If your business uses Fortinet equipment, or if your managed IT provider uses it to protect client sites, ask today: have admin passwords been changed recently, is MFA enabled on management interfaces, and is the admin portal accessible from the public internet? Each of those is a door that shouldn't be open.
Windows has an unpatched hole in its built-in antivirus. Microsoft disclosed a zero-day in Microsoft Defender — the security tool built into Windows — codenamed "RoguePlanet" (CVE-2026-50656, CVSS 7.8). A patch hasn't been released yet. The flaw lets an attacker who already has a foothold on a machine escalate to full control. If your business runs Windows and has an IT provider managing updates, flag this to them now. When the patch arrives, it should be treated as urgent, not routine.
Two AI compliance deadlines are now under 45 days away. Texas enacted a standalone AI law last week, and the EU's AI Act becomes fully enforceable on August 2. If your business uses AI to make decisions about customers, employees, or services, and you serve any U.S. or European customers, you may have new obligations arriving fast. The common thread in both laws is documentation: knowing what AI systems you use, what decisions they influence, and what safeguards are in place. Even if neither jurisdiction applies to you today, these are the leading edge of a wave that's coming.
💬 PARTING THOUGHT
This week's story about Ontario Health atHome is one that matters beyond the headline.
Two hundred thousand home-care patients is a big number. But the more important number is one, one vendor, one attack, one breach that cascades into a government agency's worst data security moment of the year. That's the story underneath the story.
We tend to think about cybersecurity as something that happens at the front door: a phishing email arrives, someone clicks it, the attacker is in. But an increasing share of significant breaches now happen through the supply chain, through the bookkeeper, the cloud platform, the IT managed service provider, the courier that processes your shipping data. The attacker finds the weakest link in the chain, not necessarily the most obvious one.
For Canadian small businesses, this week is a useful prompt. Not to panic, but to ask a question most owners haven't asked: who else has my data, and what happens if something goes wrong with them?
The answer to that question is the foundation of a vendor security program. You don't need a formal one. You just need to know the answer.
See you next Friday and stay
TryberResilient