Hackers Exploit Microsoft Flaw to Breach Canada's House of Commons
In a shocking cyberattack, hackers compromised the personal data of employees at Canada's House of Commons by exploiting a recent Microsoft vulnerability. According to CBC News, the breach was carried out by an unknown "threat actor" who targeted employee information, including names, job titles, office locations, and email addresses.
The intruders gained unauthorized access to a database containing information used to manage computers and mobile devices managed by the House of Commons. This data includes sensitive information about employees, which could be misused for scams or impersonation. The Canada's Communications Security Establishment (CSE) is assisting in the investigation into the incident, but the attacker's identity remains unknown.
A Threat Actor by Any Other Name
The CSE defines a threat actor as anyone acting with malicious intent to access or disrupt data, devices, or networks without authorization. In this case, the attack is believed to be linked to a recently exploited Microsoft SharePoint zero-day vulnerability tracked as CVE-2025-53770.
A Zero-Day Vulnerability on the Loose
In July, Microsoft warned of a SharePoint zero-day vulnerability, tracked as CVE-2025-53770 (CVSS score of 9.8), which is under active exploitation. The vulnerability allows an unauthorized attacker to execute code over a network by deserializing untrusted data in on-premises Microsoft SharePoint Server.
Viettel Cyber Security reported the flaw via Trend Micro's ZDI, and Microsoft has confirmed that an exploit for CVE-2025-53770 exists in the wild. The company is preparing a comprehensive update to address this vulnerability, but in the meantime, users are advised to implement mitigation measures to protect themselves from exploitation.
A Growing Cyber Threat Landscape
Canada faces growing cyber threats from criminals and state actors, with incidents rising sharply in the past two years. State adversaries are becoming bolder, while profit-driven criminals exploit illicit tools and AI. China is deemed the most sophisticated and active threat, linked to breaches of at least 20 federal networks over the past four years.
Cyber threats targeting Canada's critical infrastructure are increasing. In recent incidents, Canadian airline WestJet suffered a cyberattack that impacted access to some internal systems and the company's app in June. Nova Scotia Power and parent company Emera faced a cyberattack that disrupted their IT systems and networks in April 2025. Air Canada also reported a cyberattack that exposed personal information of some employees in September 2023.
A Call to Action
The House of Commons breach highlights the importance of cybersecurity awareness and the need for individuals to take proactive measures to protect themselves from cyber threats. Staff and members were urged to stay alert for scams, with no attribution given for the attack.
As the cyber threat landscape continues to evolve, it is essential for organizations and individuals to stay vigilant and take steps to protect themselves from exploitation. By being aware of the latest vulnerabilities and taking proactive measures, we can reduce the risk of cyber breaches and ensure the security of our personal data.