Cyber incident involved 'unauthorized access to certain applications through an employee account'
Canada Life has confirmed a cyber incident that exposed the personal information of up to 70,000 people, most of them employees covered under a large corporate group benefits and retirement plan.
In a statement released Monday, the company said it had “recently identified a cyber incident involving unauthorized access to certain applications through an employee account.” Canada Life said it launched an immediate investigation with support from third-party cybersecurity experts and notified the relevant authorities.
According to the Globe and Mail, the incident was identified over the past two weeks. On April 17, ShinyHunters posted on X, formerly Twitter, a message originally shared on the dark web claiming to have accessed personal information from eight major companies, including Canada Life.
The insurer said the incident was "contained" and that regular operations and services are continuing.
Spokesperson Tim Oracheski told the Globe and Mail that the company is finalising an analysis to determine the exact nature and full scope of any impact.
Canada Life said in its news release that it has begun communicating with customers and is working to identify all individuals whose personal information may have been affected.
"Individuals whose personal information was affected will be contacted directly over the coming days as appropriate, and will be offered credit monitoring protection at no cost."
In September 2025, a Royal Bank of Canada (RBC) employee was charged after allegedly accessing the personal data of Prime Minister Mark Carney. Months later, an Ontario hospital's privacy breach involving an AI transcription tool revealed how organizational oversights can undermine even the strongest data protection intentions.
Scope of breach and affected data
Canada Life told the Globe and Mail that the attack was carried out by a criminal hacking and extortion group known as ShinyHunters, which accessed information through a Canada Life employee’s account.
The majority of accounts hacked belong to “one large corporate customer,” the company said, according to the report.
The compromised information includes:
- names
- dates of birth
- mailing addresses
- gender
- and annual income levels.
These data points are commonly used to administer group health and retirement benefits, and can also be valuable to criminals seeking to commit identity theft or fraud.
Canada Life said its current assessment is that “it is a small proportion of our customers who may have been impacted,” relative to its total customer base. The insurer stressed that its “primary focus is the protection and care of our customers, advisors, and employees,” and that it remains committed to “doing the right thing” for stakeholders as it manages the fallout from the incident.
Canada Life said it has hired external cybersecurity experts to support its investigation and confirmed that authorities have been notified. The company reiterated that its systems remain operational and that it continues to provide regular services to customers and advisers.
Growing list of data breach victims
Some notable employers have also been victims of data breach in the past months, including:
|
Employer / Organisation |
Sector |
Approx. timing (public disclosure) |
What happened |
|
Canada Life (The Canada Life Assurance Company) |
Insurance; group benefits and retirement |
April 2026 |
Criminal group ShinyHunters accessed certain applications through a Canada Life employee account, exposing personal information for up to 70,000 people, with most affected belonging to one large corporate group benefits client. |
|
Telus / Telus Digital |
Telecommunications; digital services |
March 2026 |
Telus Digital confirmed a breach after ShinyHunters claimed a large‑scale theft of data following a multi‑month intrusion; Telus said a limited number of systems were accessed without authorisation. |
|
Loblaw Companies Limited |
Retail (food, pharmacy, financial services) |
March 2026 |
Loblaw reported that a criminal third party accessed “basic customer information” such as names, phone numbers and e‑mail addresses after suspicious activity was detected on a non‑critical IT system; passwords, health and payment data were not affected. |
|
Freedom Mobile (owned by Vidéotron) |
Wireless telecommunications |
December 2025 |
Attackers used a subcontractor’s compromised account to access data in Freedom Mobile’s account management platform, exposing personal details (names, addresses, dates of birth, phone numbers and account numbers) for a limited number of customers; payment details and passwords were not taken. |
|
Canada Computers & Electronics |
Retail (technology, electronics) |
February 2026 |
A system supporting the retailer’s website was breached, affecting customers who checked out as guests between late December 2025 and late January 2026; stolen data included personal details and credit‑card information used in those transactions. |
|
Canadian Investment Regulatory Organization (CIRO) |
Financial regulation; quasi‑public employer |
January 2026 |
A phishing‑originated breach first detected in August 2025 was disclosed as far more extensive than initially believed, compromising personal and financial data for about 750,000 investors, including highly sensitive identifiers and account statements. |
Earlier this year, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that 36 health‑care workers across three B.C. health authorities improperly accessed the medical records of Lapu Lapu Day Festival victims 71 times. According to Lyndsay Wasser, partner and co-chair of privacy and data protection at McMillan, employee snooping is not a niche issue confined to high-profile scandals. It is, in her words, “actually a fairly common problem.”
