Supply chain
β Supply Chain
Canada Government 2Keys Corporation Identity Services Breach (ESDC, CBSA, CRA)
Primary Source βIncident Details
In September 2025, the Canadian government disclosed that 2Keys Corporation, a digital identity and authentication service provider contracted by multiple federal agencies, had been compromised. The breach affected Employment and Social Development Canada (ESDC), Canada Border Services Agency (CBSA), and the Canada Revenue Agency (CRA). Exposed data included phone numbers and email addresses for account holders using 2Keys-managed authentication. The Government of Canada proactively notified individuals whose information was exposed and suspended 2Keys’ contracts pending a security review. 2Keys, a subsidiary of IBM, provides GCKey and other identity verification services used to access Government of Canada online services.
Technical Details
- Initial Attack Vector
- Threat actors compromised 2Keys Corporation, a third-party digital identity service provider contracted by the Canadian federal government, gaining access to authentication data for government service accounts
- Vendor / Product
- 2Keys Corporation (digital identity/authentication services)
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2025-08-01 Breach occurred
- 2025-09-10 Publicly disclosed
- 2025-09-10 Customers notified