Good morning. This week, a wildly successful AI startup, the kind every Canadian scale-up aspires to be, got hit through a free open-source tool their developers had installed without a second thought. Meanwhile, tax season is in full swing and Canadian scammers are treating it like Christmas. And a story about financial industry data that quietly affects hundreds of thousands of Canadians.
Let's get into it.
STORY OF THE WEEK
A free tool in your tech stack just became a liability
Mercor is a $10-billion AI startup that counts OpenAI, Anthropic, and Meta among its customers. It is, by most measures, a sophisticated, well-resourced technology company. And last week, hackers walked in through the back door, not by breaking Mercor's own systems, but by compromising a free, widely-used open-source library called LiteLLM that Mercor's developers had installed.
LiteLLM is a tool that thousands of companies use to connect their software to AI services. It's legitimate, well-regarded, and free. A hacking group called TeamPCP compromised it, and because Mercor's systems trusted LiteLLM, the attackers effectively had a direct path in. Reportedly four terabytes of data were stolen, including databases, source code, and what appears to be sensitive project information from Mercor's customers. As TechCrunch reported, Mercor was "one of thousands of companies" affected by this single attack on one shared tool.
For Canadian startups and scale-ups, this story deserves a slow read. Most modern software businesses, and increasingly, non-profits running digital operations, use dozens of free, open-source tools without a formal list of what they are or who's responsible for keeping them updated. A compromise of any one of them can become a compromise of your systems.
This is called a supply chain attack, and it's one of the fastest-growing threats facing technology companies of all sizes. It doesn't matter how good your own cybersecurity is, if the tools you depend on are compromised, your data is in play.
WHY IT MATTERS TO YOU
If your business or organization uses any software that connects to AI services, cloud platforms, or third-party APIs, and most growing businesses do, you have a version of this risk. The question isn't whether your IT team or developers are careful. It's whether the tools they rely on are being monitored and updated. Do you know what open-source libraries are running inside your products or internal systems?
WHAT CAN YOU DO RIGHT NOW
Ask your IT provider, developer, or technology team one question this week: "Do we have a list of the third-party tools and open-source libraries our systems depend on, and is anyone responsible for monitoring whether they've had security issues?" If the answer is no, or a long pause, that's your next priority conversation.
THE RIPPLE EFFECT
Three stories, and what they actually mean for your business
1. CRA impersonation scams are peaking — and they're using AI to sound real
Tax season in Canada is now peak season for fraud, and this year scammers are using AI-generated voices and emails that are increasingly difficult to distinguish from the real thing. The Canadian Anti-Fraud Centre and the federal Get Cyber Safe campaign both flagged a surge in CRA-themed scams in April 2026. In some cases, victims received calls that used legitimate-sounding CRA phone numbers. In others, email scams contained real customer service numbers to boost credibility.
The CRA will never contact you by email or text as its first point of contact for a tax issue. The first contact will always be by phone call or letter in the mail. And the CRA will never demand immediate payment by gift card, cryptocurrency, or e-transfer.
What it means for you:
Remind everyone in your business who handles payroll, accounts payable, or tax filings: if anyone claiming to be the CRA contacts them by email or text demanding urgent action or payment, they should hang up, not click anything, and call the actual CRA directly at 1-800-959-8281. This goes double for any requests to "verify" banking details.
2. 750,000 Canadians' investment records were stolen and your clients may be in there
The Canadian Investment Regulatory Organization (CIRO) disclosed that personal information belonging to 750,000 people was compromised during a cyberattack in August 2025. CIRO oversees investment dealers and trading activity across Canada, which means the affected records include data belonging to Canadians who invest through brokerages and financial advisors.
If your business operates in financial services, real estate, accounting, or any sector where clients discuss their finances with you, some of your clients may have received breach notification letters they ignored or didn't understand.
What it means for you:
Clients whose financial data has been exposed are at higher risk of targeted investment fraud and identity theft. If you work with clients on financial matters, it's worth flagging to them that this breach occurred and that they should be extra skeptical of unsolicited investment offers or requests to update banking information.
3. Freedom Mobile customers' personal data was accessed
Freedom Mobile, one of Canada's major wireless carriers, confirmed that unauthorized access to its customer account management platform exposed customer names, home addresses, dates of birth, phone numbers, and account numbers. The breach affects a meaningful number of Canadian mobile subscribers.
For small businesses whose staff or owners are Freedom Mobile customers, this data is now potentially in criminal hands, and can be used to craft convincing impersonation attempts or account takeover scams.
What it means for you:
If you or your employees are Freedom Mobile customers, be alert to any unusual account activity, unexpected password reset requests, or phone number porting attempts. Anyone who can convince a carrier that they're you can redirect your calls and texts, including the two-factor authentication codes that protect your banking and email accounts.
STAT OF THE WEEK
$1.2 billion
That's how much Canadian businesses spent recovering from cyber incidents in 2023 alone — double the amount spent the year before. And that only counts costs that were reported and measured.
This figure comes from Statistics Canada's own survey data, not an estimate from a cybersecurity vendor. It's a government count of actual recovery spending by Canadian businesses: IT repairs, legal fees, regulatory notifications, reputational damage, and lost productivity. For context: that $1.2 billion was spread across a relatively small number of large incidents, small businesses and non-profits rarely have the resources to recover at all.
ONE THING YOU CAN DO THIS WEEK
Make a list of what your business uses, including the free stuff
Most cybersecurity advice focuses on what to protect. This week, focus on what you're actually running.
The Mercor breach happened because a free, trusted tool was compromised. Your business likely uses several free tools that you've never formally inventoried: accounting software integrations, email plugins, project management apps, AI writing tools, customer service chatbots, form builders, payment processors. Each one is a potential entry point.
You don't need to be technical to do this. Start with a simple list: what tools do your staff log into every week? What does your website connect to? What software does your bookkeeper or developer use on your behalf? Write it down, even a rough list on a page, and share it with whoever handles your IT.
Once you have the list, the question for each item is simple: when was the last time someone checked if it was up to date, and does anyone get notified if it has a security problem? For most small businesses, the honest answer is: no one is watching. That's exactly what attackers are counting on.
QUICK BITES
Security flaws were found in widely used business networking gear this week.
The Canadian Centre for Cyber Security issued advisories covering vulnerabilities in Cisco equipment and WatchGuard firewalls, both commonly used by Canadian small businesses. If your office has a firewall or network hardware managed by an IT provider, forward this and ask: are our devices updated? You don't need to know what model you have, that's their job.
Tax-themed phishing campaigns are at record levels across North America.
Security researchers tracked more than 100 separate malicious campaigns in early 2026 using fake tax refund notices, CRA correspondence, and payroll audit requests to steal credentials and install malware. If anyone in your business receives an unexpected email about a tax refund, audit, or CRA account, do not click. Go directly to canada.ca instead.
The open-source attack that hit Mercor affected thousands of other companies too.
LiteLLM, the compromised tool at the centre of the Mercor breach, is used by an enormous number of technology companies, AI startups, and scale-ups worldwide. If your business works with software developers or technology vendors, it's worth asking whether any of your shared systems use tools that were recently flagged in a supply chain compromise.
One in four Canadian businesses has never tested their cybersecurity response.
A recent industry survey found that while 74% of Canadian organizations have some form of incident response plan, only about 26% have ever run a test of it. A plan you've never practised is just a document. Even a 30-minute "what would we do if we couldn't access our email tomorrow?" conversation with your team counts as a test.
PARTING THOUGHT
There's a version of cybersecurity thinking that goes: if I do everything right, I'm safe. Use strong passwords, update your software, don't click suspicious links, and you'll be fine.
The Mercor story this week is a reminder that this isn't quite how it works anymore. A sophisticated, careful, well-resourced startup got hit not because of something their team did wrong, but because of a free tool that millions of people trusted. The attack surface for any organization now extends well beyond its own walls.
That's not a reason for panic. It is a reason to ask better questions, about who has access to your systems, what tools run inside them, and whether anyone is watching.
Most of the time, the businesses that navigate cyber incidents best aren't the ones with the biggest budgets. They're the ones where someone was paying attention before it happened.
see you next Friday, and stay
TryberResilent