The same crew of hackers has been making the rounds — they hit a giant Canadian outsourcer in March, an American home-security company in April, and now they've crashed report-card season at thousands of schools. The pattern matters more than any single victim, because the trick they're using is one any small business or non-profit could fall for. We'll also dig into the latest fraud numbers from the Canadian Anti-Fraud Centre and what they tell you about where the money is actually being lost.
Let's get into it.
STORY OF THE WEEK
The same hackers who hit Telus just took down homework for 275 million kids
If your kids, your staff's kids, or your non-profit's program participants use Canvas — the online classroom platform run by a company called Instructure — their personal information may now be sitting in a hacker's data dump. In late April, a criminal group calling itself ShinyHunters quietly walked into Instructure's systems and walked out with roughly 3.65 terabytes of data: names, email addresses, student ID numbers, and even private messages between teachers and students. The total reach: about 275 million people across nearly 8,800 schools, colleges and universities — including Canadian institutions.
The crooks then defaced the Canvas login page with a ransom note and gave schools until May 12 to pay up or watch the data get published. Some schools couldn't get students logged in during the worst possible week of the academic year — finals.
Here's the part that should make every Canadian business leader sit up: this is the same group that stole a petabyte of data from Telus Digital back in March, and the same group that just exposed 5.5 million customer records at home-security giant ADT. They're not breaking down doors. They're walking in through trusted side entrances — third-party software accounts, support staff, and stolen passwords that the original victim never thought to rotate.
You don't have to be the size of Telus to be on their list. You just have to use the same tools.
WHY IT MATTERS TO YOU
Every business and non-profit in Canada now runs on a stack of cloud tools — payroll software, donor databases, scheduling apps, online learning, Salesforce, you name it. When one of those vendors gets breached, your data goes with them. Ask yourself: if your most-used software platform sent you a breach notice tomorrow, would you know what data they had on you, who in your organization had access, and how to lock things down within 24 hours?
WHAT CAN YOU DO RIGHT NOW
Make a list of every cloud tool your organization pays for, plus every "free" tool your staff signed up for with a work email. Beside each one, write down two things: who in your shop has admin access, and whether multi-factor authentication is turned on for that admin account. That single list — usually one page — is the most useful security document a small organization can produce.
THE RIPPLE EFFECT
Three stories, and what they actually mean for your business
Telus Digital quietly confirmed hackers took a petabyte of data
Canada's Telus Digital — the business-process arm of the telecom giant — admitted in March that the same ShinyHunters crew had spent months sitting inside its systems, eventually walking off with nearly one petabyte (that's a thousand terabytes) of customer support recordings, internal files and source code. Telus refused to pay a $65 million bitcoin ransom and brought in forensics teams.
What it means for you: Telus didn't get breached because it was careless. It got breached because attackers used credentials stolen from another vendor — a sales tool called Salesloft Drift — to pivot in. If a Fortune 500 outsourcer can be undone by a supplier's mistake, your business can too. Ask your vendors what their incident response plan looks like.
ADT exposed 5.5 million customer records, through a phone call
Home-security firm ADT confirmed this month that attackers called one of its employees, convinced them they were IT support, and got into the company's Salesforce account. From there, they downloaded data on 5.5 million customers. No malware. No fancy exploit. Just a phone call and a confident voice.
What it means for you: "Voice phishing", or vishing, works on small businesses especially well, because your team probably doesn't have a formal process to verify a caller before changing a password. Brief your bookkeeper, your front desk and your receptionist this week: "If anyone calls asking for a password reset or access change, hang up and call us back on a known number."
CRA scam texts are surging, and your employees are the target
The Canadian Anti-Fraud Centre and provincial police have flagged a sharp spike in fake "Canada Revenue Agency" text messages claiming the recipient is owed a refund. The texts look polished, the links look convincing, and the goal is to steal your SIN, banking info or business GST/HST credentials.
What it means for you: Remind your team, especially anyone who handles payroll or company tax — that the real CRA does not text refund links, e-transfer money, or threaten arrest. One five-minute team meeting this week could save you a six-figure headache later.
STAT OF THE WEEK
$704 million
Total fraud losses reported by Canadians to the Canadian Anti-Fraud Centre in 2025 — and the CAFC estimates only 5–10% of victims ever report. That means the real figure is likely north of $7 billion. Business email compromise alone accounts for hundreds of millions of that total. For a Canadian small business, fraud is now a bigger statistical threat than fire, flood, or theft combined.
Source: Canadian Anti-Fraud Centre (CAFC), 2025 annual fraud reporting. Figures based on reports filed directly with the CAFC; CAFC's own analysis notes that an estimated 5–10% of mass-marketing fraud is ever reported, so totals are understated. See: antifraudcentre-centreantifraude.ca
ONE THING YOU CAN DO THIS WEEK
Build a one-page "SaaS inventory", and turn on MFA for every admin account.
Almost every breach in this week's edition, Canvas, Telus, ADT, followed the same script: attacker gets into a third-party tool, then uses that foothold to reach the real prize. The defence against this is unglamorous but effective: know what you're using, and lock the front door.
Open a Google Doc or a piece of paper and list every cloud service your business pays for (or that your staff uses for free), your email, your accounting, your CRM, your file storage, your e-commerce, your scheduling, your fundraising platform. Next to each one, write down two things: who has the admin login, and whether multi-factor authentication is turned on for that admin login. That's it. That's the document.
Now hand it to your IT provider, your MSP, or a tech-savvy board member and ask them to turn MFA on everywhere it isn't. Most platforms support it; most of them already offer it for free; almost none of them require it by default. This single afternoon of work would have prevented the majority of breaches we've covered this year.
"You can't protect what you don't know you have. Most small business breaches start with a tool nobody remembered to secure."
QUICK BITES
1. AI-written phishing emails are 4.5× more effective than human ones. New research found that scam emails written by AI achieved a 54% click rate, compared to just 12% for the old-school stuff your staff has been trained to spot. The training you ran two years ago is no longer enough, schedule a refresher.
2. Marks & Spencer's "lessons learned" bill: roughly $514 million CAD. A year after British retailer M&S was crippled by a ransomware attack that started with one social-engineering phone call to a supplier, the company has now booked roughly £300 million in lost profit. The Canadian takeaway: your supplier's password-reset process is part of your security stack.
3.Canada's Cyber Centre flagged urgent Linux flaws this week (alert AL26-011). If your website, online store, or backup server runs on Linux — and most do — ask your IT provider whether you're patched against the two vulnerabilities the Canadian Centre for Cyber Security highlighted on May 11. It's a five-minute question that prevents a five-figure problem. (Source: cyber.gc.ca.)
4. Good news for once: 86% of businesses now refuse to pay ransoms. Coalition's 2026 Cyber Claims Report shows initial ransom demands jumped 47% year-over-year, but the share of victims who actually pay has hit a record low. Solid backups and rehearsed incident response are finally tipping the balance. Make sure yours are tested, not just bought.
PARTING THOUGHT
The Canvas story landed the same way the Telus story landed two months ago, and the way the M&S story landed last spring: the victim wasn't sloppy, the attacker wasn't a genius, and the door that got opened was one nobody in the building had thought about in years.
That's the honest shape of cyber risk for Canadian small business and non-profit leaders right now. It's rarely the dramatic Hollywood breach. It's the quiet supplier you signed up for two budgets ago, the admin password from a long-gone employee, the receptionist who thought a phone call sounded legitimate. The good news is that everything in that list is fixable on a Tuesday afternoon, without buying new software.
Resilience isn't a product you purchase. It's a one-page list, a few honest conversations, and the discipline to keep both up to date.
see you next Friday and stay
TryberResilent