Telus Digital Hit by Massive ShinyHunters Data Breach
Telus Digital confirmed it is investigating a cybersecurity incident involving unauthorized access to a limited number of its systems. The extortion group ShinyHunters claims to have stolen upwards of one petabyte of data from both the company and its customers.
Security analyst Fritz Jean Louis characterized the breach as "abuse of legitimate access rather than overt technical exploitation," noting organizations struggle with detecting "abnormal trusted behavior." Recommendations include aggressive network segmentation, behavioral analytics, and prioritizing data theft preparedness alongside ransomware defenses.
- ShinyHunters specializes in targeting Salesforce and SaaS vendors and has used voice phishing tactics impersonating IT staff
- The breach highlights that perimeter defenses alone are insufficient against modern threat actors who exploit legitimate access paths
- Organizations should evaluate their behavioral analytics capabilities and incident response readiness for data exfiltration scenarios
Implications
This breach underscores that perimeter defenses alone are insufficient against modern threat actors who exploit legitimate access paths. Organizations should evaluate their behavioral analytics capabilities, network segmentation posture, and incident response readiness for data exfiltration scenarios. The involvement of a Canadian critical infrastructure provider raises questions about supply chain risk management for enterprises relying on outsourced digital services.
Salt Typhoon Campaign Expands to Canadian Telecommunications
TechCrunch published a comprehensive tracker documenting every known target of China’s Salt Typhoon espionage campaign, which has expanded to include Canadian telecommunications companies. The Canadian Centre for Cyber Security confirmed that PRC cyber actors compromised three network devices registered to an unnamed Canadian telecom firm.
The CCCS noted that PRC cyber actors exploited CVE 2023 20198 in Cisco devices to establish persistent access, configuring a GRE tunnel for traffic collection. Overlaps with malicious indicators suggest targeting extends beyond the telecommunications sector. Canadian cyber authorities assess PRC cyber actors will almost certainly continue targeting Canadian organizations over the next two years.
- Salt Typhoon exploited CVE 2023 20198 in Cisco devices to establish persistent access to Canadian telecom infrastructure
- The CCCS noted overlaps with malicious indicators suggest targeting extends beyond the telecommunications sector
- Canadian cyber authorities assess PRC cyber actors will almost certainly continue targeting Canadian organizations over the next two years
Implications
This campaign represents a significant national security concern for Canadian organizations, particularly those in telecommunications and critical infrastructure. Organizations should audit Cisco device configurations, review network segmentation for telemetry collection points, and ensure their vulnerability management programs address known exploited CVEs.
Microsoft Patch Tuesday: 77 Vulnerabilities Including AI Discovered Critical Flaw
Microsoft addressed at least 77 vulnerabilities across Windows and other software in its March 2026 Patch Tuesday release. A landmark vulnerability in this batch was CVE 2026 21536, a 9.8 rated critical flaw discovered by an autonomous AI agent called XBOW, marking a significant shift toward AI driven vulnerability discovery.
CVE 2026 21262 (CVSS 8.8) allows authenticated attackers to escalate privileges to sysadmin on SQL Server 2016 and later editions. CVE 2026 26113 and CVE 2026 26110 enable remote code execution simply by viewing a compromised message in the Preview Pane.
- CVE 2026 21262 allows privilege escalation to sysadmin on SQL Server 2016 and later editions
- CVE 2026 26113 and CVE 2026 26110 enable remote code execution via the Preview Pane
- CVE 2026 21536 represents one of the first vulnerabilities identified by an autonomous AI agent
Implications
Organizations running Microsoft infrastructure should prioritize patching SQL Server and Office products. The emergence of AI driven vulnerability discovery tools signals a paradigm shift: the volume and speed of vulnerability identification is likely to accelerate, compressing the window between disclosure and exploitation.
Veeam Patches Three Critical RCE Flaws in Backup and Replication
Veeam published security advisories addressing five vulnerabilities in Veeam Backup and Replication, including three remote code execution bugs each carrying a CVSS score of 9.9 out of 10. The flaws allow authenticated domain users to execute code on backup infrastructure components.
CVE 2026 21668 allows attackers with repository access to manipulate arbitrary files on backup infrastructure. Fixed in Veeam Backup and Replication 12.3.2.4465; organizations running older builds should upgrade immediately.
- Three RCE vulnerabilities each rated CVSS 9.9
- Affects Veeam Backup and Replication versions 12 and 13
- Backup infrastructure is a prime target for ransomware operators seeking to eliminate recovery options
Implications
Backup infrastructure is a prime target for ransomware operators seeking to eliminate recovery options before encryption. Organizations relying on Veeam for business continuity should treat these patches as urgent and validate that backup environments are segmented from production networks.
FBI and CISA Warn Organizations to Harden Microsoft Intune After Iran Linked Attack on Stryker
The FBI and CISA issued a joint advisory urging organizations to harden Microsoft Intune configurations after an Iran linked hacking group called Handala compromised the medical technology firm Stryker, remotely wiping more than 200,000 devices using legitimate Intune management commands.
The attackers did not deploy malware. Instead, they exploited Intune’s remote wipe capability to destroy data across factories in the United States, Ireland, India, and other countries. CISA recommends role based access controls, multi factor authentication, and policies requiring a second administrator’s approval for sensitive actions such as device wiping.
- Handala wiped over 200,000 devices using legitimate Intune remote wipe commands without deploying malware
- The FBI seized the group’s leak site, confirming it operated on behalf of a foreign state actor
- CISA urges organizations to require dual approval for sensitive endpoint management actions
Implications
This attack demonstrates that endpoint management platforms are high value targets for nation state actors. Organizations using Microsoft Intune or similar MDM solutions should immediately review administrative access controls and implement dual approval workflows for destructive commands. The incident underscores that legitimate management tools can be weaponized when access controls are insufficient.
Bank Software Vendor Marquis Confirms Ransomware Attack Impacted 672,000 Individuals
Marquis Software, a vendor providing communication platforms to financial institutions, disclosed that a ransomware attack exploiting a SonicWall firewall vulnerability impacted 672,075 individuals across at least 74 banks and credit unions. Stolen data includes Social Security numbers, financial account information, and taxpayer identification numbers.
The breach was traced to a vulnerability in a SonicWall firewall device. Marquis reportedly paid a ransom to the attackers, though no ransomware group has publicly claimed the attack. Multiple banks continue to notify affected customers months after the initial incident.
- At least 74 banks, credit unions, and financial institutions impacted through a single vendor compromise
- Stolen data includes Social Security numbers, dates of birth, and financial account details
- The attack exploited a known vulnerability in a SonicWall firewall device
Implications
This breach illustrates the cascading risk of third party vendor compromises in the financial sector. A single vendor vulnerability affected dozens of institutions and hundreds of thousands of individuals. Organizations should ensure their third party risk management programs include validation of vendors’ perimeter device patching and incident response capabilities.
Aflac Confirms 22.7 Million Individuals Impacted by Data Breach
Aflac disclosed to the SEC that a breach by a “sophisticated cybercrime group” compromised information belonging to 22.7 million individuals, including customers, beneficiaries, employees, and agents. Stolen documents contained insurance claims, health data, Social Security numbers, and other personal details.
The intrusion was identified on June 12 and stopped within hours, with no business functions affected by ransomware. The investigation concluded on December 4, and victims are being given access to two years of identity protection services with an enrollment deadline of April 18, 2026.
- 22.7 million individuals had personal and health information stolen
- Stolen data includes insurance claims, health data, and Social Security numbers
- Victims offered two years of identity protection with enrollment deadline April 18, 2026
Implications
The scale of this breach places it among the largest in the insurance sector. Organizations handling sensitive health and financial data should evaluate whether their incident detection and response capabilities can contain breaches within hours. The multi month gap between breach identification and victim notification raises questions about disclosure timelines under current regulatory frameworks.
CPCSC Phase 2 Launches April 2026: Level 1 Self Assessment Becomes Mandatory for Defence Contracts
The Canadian Program for Cyber Security Certification enters Phase 2 in April 2026, marking a significant milestone as Level 1 cyber security self assessment requirements become mandatory for new defence contracts. Organizations bidding on National Defence RFPs will need to complete self assessments and provide attestations through Canada Buys.
Phase 2 (April 2026 to March 2027) makes Level 1 self attestation mandatory at contract award for qualifying defence procurement. The accreditation ecosystem opens for organizations seeking to become Level 2 certification bodies. Phase 3 (April 2027 onward) will introduce Level 3 requirements conducted by National Defence.
- Phase 2 makes Level 1 self attestation mandatory at contract award for qualifying defence procurement
- The accreditation ecosystem opens for Level 2 certification bodies
- Phase 3 will introduce Level 3 requirements conducted by National Defence
Implications
Defence suppliers who have not yet completed their Level 1 self assessment face an immediate compliance deadline. The CPCSC represents Canada’s most significant mandatory cyber security certification requirement and signals a broader trend toward supply chain security requirements across government procurement.
Canada’s AI Strategy and Regulatory Framework Take Shape Under Minister Solomon
AI Minister Evan Solomon has confirmed the Carney government will not revive the previous government’s Artificial Intelligence and Data Act (AIDA) wholesale but is developing a new regulatory framework described as "light, tight, right." Experts warn Canada risks falling behind international peers, particularly the EU with its AI Act.
Solomon announced $8.5 million in federal investment for 40 AI adoption projects across Atlantic Canada in early March. Canada currently has no overarching AI legislation or specific rules for chatbots, unlike the EU which has implemented the AI Act.
- AIDA from Bill C 27 will not be reintroduced as drafted
- Solomon’s approach prioritizes supporting innovation while avoiding a regulatory "Wild West"
- Canada currently has no overarching AI legislation
Implications
The regulatory gap creates both opportunity and risk. Without enforceable AI legislation, companies lack clear compliance guardrails but face the prospect of retroactive requirements. Organizations should adopt voluntary frameworks such as ISO/IEC 42001 and the NIST AI Risk Management Framework now to establish governance maturity ahead of regulation.
RSAC 2026: AI Governance Dominates Cybersecurity Agenda
With RSA Conference 2026 set for March 23 to 26, approximately 40% of the 450 plus sessions are AI weighted, marking the first time AI is not a conference track but the defining theme of the entire event.
Key priorities include securing the AI stack, AI governance policy frameworks, non human identity management, shadow AI risk, and SOC autonomous remediation. Non human identities now routinely outnumber human identities in enterprise environments.
- 40% of sessions are AI focused, making it the defining theme
- Non human identities (AI agents, autonomous bots, service accounts) now outnumber human identities
- RAG workflows, LLM data pipelines, and vector databases have introduced attack surfaces most security teams are not yet equipped to defend
Implications
The convergence of cybersecurity and AI governance means compliance teams and security operations must coordinate more closely on policy, risk assessment, and audit readiness. Organizations should prioritize developing defensible AI governance frameworks and inventorying non human identities.
Canada and Norway Sign Joint Statement on Sovereign Technology and AI Cooperation
Canada and Norway issued a joint statement committing to deepen collaboration on artificial intelligence and digital technologies through the newly launched Sovereign Technology Alliance. The agreement builds on the AI Summit and emphasizes shared democratic values, rule of law, and sovereign AI capacity.
Norway is exploring participation in the Sovereign Technology Alliance to strengthen coordination with trusted partners and reduce strategic technology dependencies in key sectors. The statement follows Canada’s earlier joint declaration with Germany launching the Alliance in February 2026.
- Norway exploring participation in the Sovereign Technology Alliance launched with Germany in February
- Focus on reducing strategic technology dependencies and strengthening sovereign AI capacity
- Built on cooperation through the OECD and Global Partnership for Artificial Intelligence
Implications
Canada’s expanding network of bilateral AI agreements with democratic partners signals an emerging bloc approach to AI governance. The Sovereign Technology Alliance could establish interoperability requirements for AI systems deployed across member nations, creating both opportunities for aligned vendors and compliance considerations for multinational organizations.
OPC Closes Guidance Modernization Consultation as Privacy Enforcement Intensifies
The Office of the Privacy Commissioner of Canada closed its public consultation on guidance modernization on March 13, 2026. The initiative aims to reshape how the OPC develops and communicates regulatory guidance under PIPEDA.
The consultation ran from December 2, 2025 to March 13, 2026 and was open to individuals, organizations, and industry associations. Results will shape the development of future OPC guidance documents.
- Consultation sought feedback on challenges organizations face when complying with privacy obligations
- Results will shape future OPC guidance documents
- Signals the OPC’s intent to strengthen the practical utility of its guidance
Implications
Organizations should monitor outcomes closely, as modernized guidance may alter how PIPEDA requirements are interpreted and enforced. The initiative signals the OPC’s intent to make compliance obligations clearer but also more specific and enforceable.
Cybersecurity and Privacy Legal Risk Map for 2026 Highlights Expanding Enforcement
CSO Online published a comprehensive legal risk map identifying five critical areas where regulatory enforcement is expanding: state sponsored threats triggering legal disputes, federal enforcement through the False Claims Act, state level regulatory coordination, third party risk management obligations, and whistleblower driven litigation.
California’s CCPA now mandates comprehensive annual cybersecurity audits covering 18 components. AI chatbots are an emerging privacy risk, with 5% of nearly 200 privacy related claims targeting chatbot technologies.
- California’s CCPA mandates comprehensive annual cybersecurity audits covering 18 components
- False Claims Act enforcement creates direct personal liability for executives making false compliance attestations
- A bipartisan "Consortium of Privacy Regulators" is coordinating enforcement across jurisdictions
Implications
The legal risk environment for cybersecurity and privacy has become materially more complex. Organizations should ensure their compliance programs account for multi jurisdictional enforcement and the emerging legal liability associated with AI deployments. The expansion of False Claims Act enforcement elevates cybersecurity governance to board level fiduciary duty.