Apple and Google Warn Canada's Bill C 22 Lawful Access Act Could Force Encryption Backdoors; Witnesses Press for Explicit Encryption Safeguards
On May 26, Apple and Google representatives testified before Canada's Standing Committee on Public Safety and National Security, urging amendments to Bill C 22, the Lawful Access Act. The bill would require core telecommunications providers to build capabilities for law enforcement access and to retain user metadata for up to one year. Apple told the committee that the legislation could allow the government to compel companies to weaken encryption by inserting backdoors, arguing there is no way to provide access for legitimate authorities without creating vulnerabilities that malicious actors can also exploit. The government has described the bill as encryption neutral and said it is not seeking backdoors, though witnesses argued the statutory language does not make that intent clear.
For Canadian organizations, Bill C 22 is a data governance and security architecture question, not only a civil liberties debate. Mandated lawful access capabilities and extended metadata retention enlarge the attack surface and increase the volume of sensitive data subject to retention, access control, and breach exposure obligations. The bill has passed two of three readings in the House of Commons and faces Senate review. Organizations that operate communications, identity, or messaging infrastructure should begin assessing how compelled access provisions and longer retention periods would intersect with their existing encryption design and data minimization commitments.
- Apple and Google testified May 26 urging amendments to Bill C 22, the Lawful Access Act
- Bill would require core telecom providers to build lawful access capabilities and retain metadata for up to one year
- Apple warned the bill could force encryption backdoors; the government calls the bill encryption neutral
- Passed two of three readings in the House of Commons; Senate review pending
Implications
Organizations should treat Bill C 22 as a forward signal to inventory where lawful access obligations, metadata retention, and encryption design intersect with their own data governance. Map response to ISO/IEC 27001:2022 A.5.31 legal, statutory, regulatory and contractual requirements, A.5.34 privacy and protection of personally identifiable information, A.8.24 use of cryptography, and A.8.10 information deletion. Privacy by design obligations under PIPEDA and provincial private sector laws should be revisited for any newly retained metadata. Boards should request a written assessment of how expanded retention and access mandates would affect data minimization posture and breach exposure before the bill advances to Royal Assent.
Critical marimo Notebook Flaw (CVE 2026 39987) Exploited in the Wild Within Ten Hours of Disclosure, Cloud Credentials Stolen in Under Three Minutes
The Sysdig Threat Research Team reported, as covered by CSO Online, that CVE 2026 39987, a critical unauthenticated remote code execution vulnerability in the open source marimo Python notebook, was exploited in the wild within 9 hours and 41 minutes of public disclosure. Rated CVSS 9.3 and affecting all versions before 0.23.0, the flaw exposes an unprotected WebSocket terminal endpoint that grants a full interactive shell from a single connection with no credentials. On a honeypot, an operator located an environment file and harvested AWS access keys and application credentials in under three minutes, having built a working exploit using only the advisory description before any public exploit tool existed.
The case is the operational counterpart to last week's Verizon 2026 DBIR finding that vulnerability exploitation has overtaken stolen credentials as the top breach entry point and that the disclosure to exploitation window is collapsing toward hours. Internet reachable developer, notebook, and data science tooling, frequently deployed outside formal change control, is a recurring exposure. Patched version 0.23.0 closes the authentication gap on the terminal endpoint.
- CVE 2026 39987, CVSS 9.3: unauthenticated remote code execution in marimo via an unprotected WebSocket terminal endpoint
- Exploited in the wild within 9 hours and 41 minutes of disclosure; AWS keys harvested in under three minutes on a honeypot
- Attacker built a working exploit from the advisory text alone, before any public tool existed
- Patched in marimo 0.23.0
Implications
Inventory internet reachable developer, notebook, and data science tooling and bring it under the same exposure management and patch timelines as production systems. Treat cloud credentials and secrets stored in environment files as a primary target; rotate and vault them. Map response to ISO/IEC 27001:2022 A.8.8 management of technical vulnerabilities, A.8.9 configuration management, A.8.16 monitoring activities, A.5.7 threat intelligence, and A.8.24 use of cryptography for secrets handling. NIST SP 800 53 RA 5, SI 2, and SI 4 apply. With the disclosure to exploitation window now measured in hours, emergency patch pathways for internet facing assets should not depend on standard monthly cycles.
Palo Alto PAN OS GlobalProtect Authentication Bypass (CVE 2026 0257) Added to CISA KEV After Active Exploitation, Federal Remediation Deadline June 19
CISA added CVE 2026 0257, a PAN OS GlobalProtect authentication bypass, to its Known Exploited Vulnerabilities catalogue on May 29, setting a federal civilian remediation deadline of June 19. The vulnerability lets a remote, unauthenticated attacker forge authentication override cookies and establish an unauthorized VPN connection through the GlobalProtect gateway. It is triggered only in a non default configuration where the certificate used to encrypt the authentication override cookies is shared with another feature, such as the portal or gateway HTTPS service. Palo Alto Networks published the advisory on May 13.
Remote access infrastructure remains one of the most consistently targeted entry points, and an authentication bypass on a VPN gateway gives an attacker a foothold inside the perimeter that sidesteps multi factor controls at the edge. Organizations should confirm whether the authentication override feature is enabled and whether the certificate sharing condition applies to their deployment, rather than assume a default configuration is unaffected.
- CVE 2026 0257: unauthenticated authentication bypass in PAN OS GlobalProtect; forges override cookies for unauthorized VPN access
- Triggered only when the authentication override cookie certificate is shared with another feature
- Added to the CISA KEV catalogue on May 29; federal civilian remediation deadline June 19, 2026
- Palo Alto Networks advisory published May 13
Implications
Confirm GlobalProtect configurations against the affected condition, apply the fixed PAN OS release, and review VPN authentication logs for unexpected sessions or override cookie use. Map response to ISO/IEC 27001:2022 A.8.8 management of technical vulnerabilities, A.5.17 authentication information, A.8.5 secure authentication, A.8.20 networks security, and A.8.16 monitoring activities. NIST SP 800 53 AC 17 remote access and SI 2 flaw remediation apply. Treat KEV listed VPN gateway flaws as expedited given the established pattern of rapid exploitation against edge infrastructure.
ShinyHunters Salesforce Extortion Campaign Widens; Carnival Confirms Data Breach Affecting Nearly Six Million People
Cruise operator Carnival Corporation confirmed a data breach affecting nearly six million people, disclosed through a filing with Maine's Attorney General indicating 5,995,277 individuals were affected, as reported by The Record. The incident was identified on April 14 and began when attackers used social engineering to compromise an employee account, then accessed company systems and exfiltrated files containing names, addresses, dates of birth, email addresses, phone numbers, and government issued identification numbers including passport and driver's license data. The extortion group ShinyHunters claimed responsibility and posted what it said were 8.7 million records. The disclosure lands amid a broader ShinyHunters campaign against Salesforce connected environments that the FBI has warned about, frequently initiated through voice phishing of employees.
The common thread across the campaign is identity and human centered compromise rather than a software vulnerability: attackers socially engineer staff, capture credentials or session access, and pivot into software as a service data stores. Multi factor authentication alone has proven insufficient where attackers phish the authentication flow directly or trick staff into approving access.
- Carnival confirmed a breach affecting 5,995,277 people, identified April 14, via a compromised employee account
- Stolen data includes names, contact details, dates of birth, and government issued identification numbers
- ShinyHunters claimed responsibility and published what it said were 8.7 million records
- Part of a wider ShinyHunters Salesforce focused extortion campaign flagged by the FBI, often starting with voice phishing
Implications
Treat social engineering and software as a service data exposure as a board level identity governance issue. Strengthen phishing resistant authentication, conditional access, and session protection for staff with access to customer data platforms, and review third party data minimization. Map response to ISO/IEC 27001:2022 A.5.16 identity management, A.5.17 authentication information, A.6.3 information security awareness, education and training, A.5.7 threat intelligence, and A.5.24 information security incident management planning. NIST SP 800 53 IA 2, AC 2, and AT 2 apply. Canadian organizations holding personal information should confirm breach notification readiness under PIPEDA and applicable provincial laws.
Canada's National AI Strategy Imminent: Six Pillars Anchor on a Sovereign AI Foundation and Privacy Reform, as Ottawa and TELUS Advance Sovereign Compute
Prime Minister Mark Carney said on May 27 that Canada's long delayed national AI strategy will be released imminently, built on six pillars revealed in the spring economic update. The pillars include protecting Canadians and safeguarding democracy through modernized privacy and online safety laws, building a Canadian sovereign AI foundation, scaling Canadian champions, and aligning standards with trusted international partners. In parallel, the Government of Canada and TELUS announced on May 25 that they are advancing sovereign AI infrastructure in British Columbia under the federal large scale sovereign AI data centre initiative, drawing on an initial 85 megawatts of clean power and housing more than 60,000 graphics processing units once operational.
For Canadian organizations, the combination of a sovereign AI foundation pillar and concrete sovereign compute investment signals that data residency, sovereignty, and AI governance are converging into procurement and policy expectations. The reference to modernized privacy and online safety laws indicates the privacy reform that stalled with earlier legislation is being repositioned inside the AI strategy. ISO/IEC 42001 AI management system structure and documented data residency controls become more relevant for organizations selling to government or operating regulated workloads.
- Carney said on May 27 the national AI strategy will be released imminently, built on six pillars
- Pillars include a sovereign AI foundation and modernized privacy and online safety laws
- Government of Canada and TELUS advancing sovereign AI data centres in British Columbia, 85 megawatts initial power, more than 60,000 GPUs
- Data residency and AI governance are converging into Canadian procurement and policy expectations
Implications
Organizations should align AI governance to ISO/IEC 42001:2023 management system requirements and document data residency, model provenance, and lifecycle controls in anticipation of sovereignty linked procurement criteria. Map supporting controls to ISO/IEC 27001:2022 A.5.31 legal, statutory, regulatory and contractual requirements and A.5.23 information security for use of cloud services. Boards should track the strategy release and any privacy reform reintroduced under it, since modernized federal privacy law would reset baseline obligations for personal data and automated decision systems.