Three Documented Failures
CRA Account Compromises
The Canada Revenue Agency experienced credential stuffing attacks that compromised thousands of GCKey and CRA accounts. Attackers used credentials obtained from other breaches to access CRA accounts, change direct deposit information, and redirect CERB and other benefit payments. The AG documented concerns about CRA's identity verification processes. The breaches occurred during COVID-19 when rapid benefit deployment took priority over security — creating vulnerabilities that persisted.
Federal Government Network Breaches
Multiple federal government departments have experienced cyber intrusions. The Canadian Centre for Cyber Security (CCCS) has attributed attacks to nation-state actors including China and Russia. Government networks containing sensitive citizen data — tax records, immigration files, health information — have been targeted. As documented in the data sovereignty analysis, government data stored on US cloud infrastructure adds another vulnerability layer: Canadian data is accessible under both Canadian and US legal authority.
Critical Infrastructure Vulnerabilities
Canada's critical infrastructure — energy grids, telecommunications networks, water systems, and transportation — faces documented cyber vulnerabilities. The CCCS has issued advisories about nation-state targeting of critical infrastructure. Yet Canada has no mandatory cyber security standards for critical infrastructure operators (unlike the US, which has sector-specific requirements). The captured regulators that oversee these sectors have not imposed binding cyber security requirements. The result: critical infrastructure that serves 39 million Canadians operates with voluntary security standards that the operators themselves determine.
Physical + Digital = Total Sovereignty Failure
Can't patrol Arctic. Can't sell energy. Can't make medicine. Can't defend digital infrastructure. The same institutional capture that prevents physical sovereignty also prevents digital sovereignty.