Good morning. This week we’ve got an Ontario utility cleaning up after a break-in, two reminders that the people calling your office may not be who they say they are, and a $350-billion nudge for every Canadian small business still sitting on the AI sidelines. The thread running through all of it: the line between “a tech problem” and “a business problem” has officially disappeared.
Let’s get into it.
🗞️ STORY OF THE WEEK
A hometome hydro utility got hacked, and your customer list is the real prize.
London Hydro, the electricity provider for London, Ontario, told customers on June 20 that intruders had broken into its systems and likely walked away with personal information. We’re talking names, home addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, and contract dates. The good news, such as it is: the utility says banking details, payment cards, birthdates and government ID numbers were not touched.
No ransomware gang has put its hand up to claim the attack, which is increasingly common. The modern playbook isn’t always about locking your screen and demanding Bitcoin. More often, criminals quietly copy data, slip out the back door, and decide later how to make money from it, by selling it, or using those clean, accurate client details to run convincing scams.
And that’s the part that should make every small business owner sit up. A list of real names tied to real addresses, real account numbers and a real, trusted brand is rocket fuel for fraud. Expect London area residents to start receiving “London Hydro” emails and texts about overdue bills or refunds in the coming weeks. The breach didn’t just expose data; it handed scammers a script.
For a small business, the lesson isn’t “utilities have bad security". It’s that the most valuable thing you hold often isn’t money, it’s your customers’ information and the trust attached to your name. Lose control of that, and someone else gets to impersonate you.
Why It Matters To You
If a breach hit your business tomorrow, could you tell your customers exactly what was taken? And would you know within days, not months? Under Canada’s privacy law (PIPEDA), a breach that poses a “real risk of significant harm” must be reported to the Privacy Commissioner and to affected individuals. Silence isn’t a strategy, it’s a liability.
What Can You Do Right Now
Write down the answer to one question: “If our customer data were stolen tonight, who do we call first?” Put your IT provider’s number, your insurance broker’s number, and a one-line note about your PIPEDA reporting duty in a document everyone on your team can find. A breach is a stressful enough event without improvising the response.
⚡THE RIPPLE EFFECT - Three stories, and what they actually mean for your business
The voice on the phone sounds exactly like your boss. It isn’t.
AI “voice cloning” scams have crossed into the mainstream, and they’re hitting businesses hard. Criminals now need only a few seconds of someone’s voice, lifted from a podcast, a webinar, a voicemail greeting or a social post, to generate a convincing fake. In one widely reported case, a finance employee at the engineering firm Arup paid out $25.6 million after a video call with what turned out to be entirely deepfaked colleagues.
What it means for you: Your team can no longer trust a familiar voice as proof of identity. Any request for money or change payment details needs a second, independent check, a callback to a known number, not the one in the message.
Ottawa and Washington hit pause on the next big AI model.
OpenAI agreed to slow the public rollout of its next model, GPT-5.6, after the U.S. administration asked for time to review its cybersecurity capabilities. The model will go first to a small set of vetted enterprise customers, approved one by one, before are wider release. Officials reportedly consider it on par with the most capable systems available.
What it means for you: When governments are nervous enough about an AI tool’s power to throttle its release, treat is as a signal, the same capabilities that supercharge productivity can supercharge attackers. Keep one eye on what your staff are pasting into free AI tools, and write a simple rule about what company data is off-limits.
Canadians lost $704 million to fraud last year, and that’s the visible tip.
The Canadian Anti-Fraud Centre reports Canadians now lost more than $704 million to fraud in 2025, with total losses since 2022 now topping $2.4 billion. The gut punch: the CAFC estimates only 5 to 10 percent of fraud is ever reported, so the real number is far larger. Identity fraud, investment scams and service fraud topped the list.
What it means for you: Fraud is now a business-scale risk, not just a consumer nuisance. Report incidents to the CAFC even when you’ve lost nothing, the data helps police spot the campaigns hitting your region before they reach you.
30%
of Canadian small and medium sized businesses use generative AI today,
yet those that do are roughly 24% more productive.
The Business Development Bank of Canada estimates that closing the gap could unlock nearly $350 billion in economic growth. The takeaway for owners isn’t hype, it’s that AI is quietly becoming a competitive dividing line between businesses that adopt it thoughtfully and those that don’t.
✅ ONE THING TO DO THIS WEEK
Make a “verify by callback” a rule, not a reflex.
Here’s the single habit that defends against this week’s two scariest stories, the deepfake voice scam and the fraud built on stolen customer data. Adopt a firm rule: any request to send money, change banking details, or share sensitive information gets verified through a second channel before anyone acts. No exceptions, even when the request sounds urgent and comes from the loss.
It works like this. Someone calls or emails asking to redirect a payment? Hang up or set the email aside, and call the person back on a number you already have on file, never the number or link they just gave you. It feels almost rude the first time. Do it anyway. Scammers rely on urgency and politeness to short-circuit your judgement; a sixty second callback breaks the spell.
Tell your team the rule out loud this week, and make clear that nobody will ever be in trouble for slowing down to verify. The goal is a workplace where double-checking a money request is normal and expected, not awkward.
📌 QUICK BITES
Ransomware has found its favourite target: businesses your size. Fortinet’s 2026 threat report counted a 389% year-over-year jump in ransomware victims, with mid-sized firms (roughly 50 to 200 staff) absorbing the most attacks. Translation: “too small to be a target” is no longer true, automation lets criminals go after everyone at once.
The price of a Canadian breach keeps climbing. The average data breach at a Canadian organization now runs about CA$6.98 million, up more than 10% year over year, and ransomware accounts for roughly 41% of incidents at small and mid-sized firms. Even a fraction of that figure would sink most small businesses, which is exactly why cyber insurance and a recovery plan are worth a conversation this quarter.
Ottawa is putting money behind AI adoption. BDC launched a $500-million loan program to help Canadian SMEs get off the AI sidelines and invest in the tools and training to use it. If your cost has been your reason for waiting, that excuse just got smaller, worth asking your accountant whether it fits your plans.
That “parking ticket” text is a scam. Authorities are warning of a resurgence of fake parking-fine and toll texts across Ontario, designed to harvest your payment card details. Remind staff: governments and toll operators don’t collect fines by text link. When in doubt, go to the official website directly, never tap the link.
💬 PARTING THOUGHT
There’s a quiet theme connecting a hacked hydro utility, a cloned voice on the phone, and a $350-billion AI opportunity: trust is becoming the most valuable, and most targeted asset your business owns.
The same technology that lets you serve your customers faster lets a stranger impersonate you flawlessly. The same data that makes your business run is the thing criminals most want to steal. None of this means hiding from the tools or living in fear of the next headline. It means being deliberate: knowing what you’d do if the worst happened, and building small, boring habits, a callback here, a written down plan there, that hold up under pressure.
Resilience was never about having the fanciest security. It’s about being the business that double-checks, that has a plan, and that keeps its customers’ trust when others lost it. You’ve got this.
Until next Friday, stay
TryberResilient