This week, Canada’s education sector took centre stage in what experts are calling the largest school data breach in history, and students at some of our biggest universities were caught right in the middle. Meanwhile, AI is pulling in two directions at once: making fraudsters more dangerous than ever, while quietly offering a real productivity edge to businesses willing to take the plunge. We’ve got both angles covered, plus one practical thing you can do today to protect your team from a scam that’s already fooling experienced executives across the country.
Let’s get into it.
STORY OF THE WEEK
Canada’s Universities Caught in the Biggest Educational Data Breach Ever Recorded
In early May, a criminal hacking group called ShinyHunters broke into Canvas — the online learning platform used by thousands of universities worldwide, including the University of Toronto, the University of British Columbia, and the University of Alberta. The attackers made off with 3.65 terabytes of data belonging to approximately 275 million students, teachers, and staff globally. Canadian institutions were directly in the crosshairs.
Canvas, owned by a company called Instructure, detected the intrusion on April 29 and moved quickly to lock the attackers out. But it wasn't over. On May 7, right in the middle of finals season, ShinyHunters struck again — this time replacing Canvas's login page with a ransom demand and taking the platform completely offline. Students couldn't access assignments or grades. Professors couldn't post marks. Administrators scrambled.
The stolen data includes names, email addresses, student ID numbers, and — perhaps most troubling — private messages exchanged between students and their instructors. Instructure eventually announced on May 11 that it had reached a deal with the hackers and that the compromised data had been destroyed. Unconfirmed reports suggest the ransom was in the range of US$10 million.
This is the largest educational data breach ever recorded.
WHY IT MATTERS TO YOU
You may not be a university, but this story captures something every business owner should sit with: your security is only as strong as the platforms and vendors you rely on. Canvas was used by millions of students and educators worldwide. Trusted, well-known, widely deployed. That didn’t protect them. If a hacker wanted to reach your customers or employees through a third-party platform you use, could they? When did you last ask your key software vendors what happens if they get breached?
WHAT CAN YOU DO RIGHT NOW
Check whether your organization, or your employees’ schools or children's schools, use Canvas. If so, tell the people in your life: watch for phishing emails that use exposed names, student IDs, and email addresses. These details are gold for scammers building convincing fake messages. The rule is simple: if an email claims to be from a school or platform and asks you to click a link or log in, go directly to the official website instead, never through the email.
THE RIPPLE EFFECT
Three stories, and what they actually mean for your business
AI Fraudster Are Already Inside Canadian Businesses, and Most of Us Aren’t Ready
A KPMG Canada survey released in March 2026 found that 81% of Canadian companies that experienced fraud in the past year faced an AI-powered attack, and nearly three-quarters of those were targeted more than once. The attacks range from voice-cloned calls impersonating the CEO to demand an urgent wire transfer, to AI-generated fake invoices and identity documents that pass visual inspection, to deepfake video calls where a criminal looks and sounds like someone you trust.
What it means for you:
The technology behind these attacks is now affordable and widely available, you don’t need to be a large company to be targeted. The most practical defence isn’t sophisticated software. It’s a simple rule: any unusual financial requests gets verified through a second channel before it moves. A callback to a known number. A code word. A second approver. Ed sounds like someone you trust.
A Canadian Tech Retailer’s Checkout Was Quietly Compromised for Nearly a Month
In January 2026, Canada Computers & Electronics revealed that attackers had silently compromised its online guest checkout between late December 2025 and January 22, 2026, capturing names, addresses, phone numbers, email addresses, credit card numbers, expiry dates, and CVV codes for 1,284 customers. The breach wasn’t discovered until the company spotted it themselves. Affected customers were offered two years of free credit monitoring.
What it means for you:
This is the “skimmer” attack modernized for e-commerce, and it happens more than most people realize. If you run any kind of online store or take payments through your website, ask your web developer or payment platform: how is out checkout monitored in real time? What would alert us if something changed? And if you shopped at Canada Computers as a guest last winter, check your statements carefully.
The Bank of Canada Says AI Could Be Our Productivity Cure, But We’re Barely Using It
A May 2026 report from the Bank of Canada found that AI is already lifting productivity for businesses that use it, automating routine tasks, reducing costs, and freeing people for higher-value work. The research found that SMEs using generative AI tools gain more than twice the time they invest: for every hour spend using the tools, they get back over two hours in productivity. The sobering part: only about 12% of Canadian firms were actually using AI as of 2025. The Canadian Chamber of Commerce called this a “dial-up versus 5G” problem.
What it means for you:
You don’t need a dedicated AI team or a big budget to start. Pick one repetitive task, drafting routine emails, summarizing meeting notes, writing first-draft proposals, and try an AI tool on it for a week. The businesses pulling ahead aren’t doing anything exotic. They’re just starting somewhere.
STAT OF THE WEEK
105
ransomware attacks hit Canadian organizations in just the first three months of 2026
That’s more than one attack per day, and those are only the confirmed, reported cases. Ransomware attackers increasingly target organizations of every size, not just large enterprises, because small targets often having fewer defences and more pressure to pay quickly to keep operations running.
Source: Comparitech, “Ransomware Roundup: Q1 2026”, published April 2026.
ONE THING YOU CAN DO THIS WEEK
Set Up a Verification Code Word for Unusual Payment Requests
Here’s the scenario unfolding at Canadian businesses right now. Someone on your team gets a call. It sounds exactly like you, your voice, your phrasing, the way you start a sentence. You’re apparently travelling, you say, and you need them to process an urgent wire transfer to a new supplier before end of day. Please keep it between you two for now.
They do it. The money is gone. It wasn’t you.
AI voice cloning has made this attack, sometimes called CEO fraud or “vishing”, frighteningly cheap and easy to pull off. The KPMG Canada survey found that 24% of Canadian companies have already been victims of voice clone attacks. You don’t need to be a large corporation. You just need to have someone on your team who handles payments and trusts their boss.
The fix is almost embarrassingly low-tech: establish a verbal code word with anyone on your team who has authority over payments or sensitive decisions. Any unusual request, regardless of how convincing it sounds or how urgent it feels, requires either a callback to a number you already have on file (not one the caller provides), or use the code word through a separate channel.
Pick a word. Tell the relevant people today. Write it nowhere digital. Done.
This takes ten minutes to set up. It costs nothing. And it stops even the most sophisticated AI voice attack cold.
QUICK BITES
Ottawa puts $66M behind Canadian AI adoption. The federal government announced this month that 44 Canadian companies will receive funding through the AI Compute Access Fund, a $300M program designed to help businesses, including SMEs, afford the computing power needed to build and use AI tools. Supported projects include wildfire detection, drug discovery, public transit optimization, and financial services tools. The fund covers two-thirds of eligible costs for Canadian cloud-based AI compute. If cost has been your barrier to exploring AI, this program is worth a look at ised.canada.ca
Ransomware gangs are quietly changing their playbook. Traditional ransomware, locking your files, demanding payment to unlock them is giving way to pure data extortion. Attackers steal your data and threaten to publish it, without bothering to encrypt anything first. Your systems keep running, which actually makes these attacks harder to spot. The implication: having good backups is no longer enough on its own. Knowing exactly what sensitive data you hold, and where, has become just as important.
Canada’s AI adoption is stuck in slow gear. The Canadian Chamber of Commerce warned this quarter that Canada’s AI adoption rate is falling behind global peers, putting businesses at a competitive disadvantage. With only about 12% of Canadian firms using AI, the Chamber is calling it the difference between dial-up and 5G. This gap hits small businesses hardest, since they have less margin to absorb the inefficiencies that AI adoption tends to close.
Watch out for AI-generated government impersonators. The Competition Bureau of Canada issued a warning earlier this year about a surge in scams using AI-generated voices and realistic-looking documents to impersonate the CRA, Service Canada, and the RCMP. These callers pressure businesses and individuals into paying fake fines or “unlocking” frozen accounts. The rule is the same as always, just harder to remember when the voice sounds authentic: if anyone demands immediate payment claiming to be a government agency, hang up and call the agency directly using the number on their official website.
PARTING THOUGHT
There’s a strange tension at the heart of this week’s news. The same technology that’s making Canadian businesses more productive, AI, is also the technology making criminals more dangerous. That’s uncomfortable to sit with. But it’s worth noting that it has always been this way: the telephone made commerce faster and also enabled phone fraud. Email transformed business and also created phishing. The tool is never the whole story.
What strikes us, though, is how simple the defences still are at the level most small businesses operate. A code word. A callback. A question asked of your software vendor. Checking your statements after an unfamiliar online purchase. None of this requires a technology budget or a security team. It requires attention, and a bit of healthy scepticism.
Canada’s small businesses and non-profits are not powerless. In fact, you have something large organizations often don’t: the ability to move fast, build genuine trust with your team, and change how you work without six months of committee approvals.
The goal isn’t to become a cybersecurity expert. It’s to be a little harder to fool that you were last week.
see you next Friday and stay
TryberResilent