Canadian Cyber News Rewire - 09/05/26
Wiring you into the cyber news relevant to Canada the week ending May 09
The Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.
Editor Notes:
I have two new papers out with the Canadian Global Affairs Institute:
Go sign Tanya Janca’s Secure-Coding Petition! (It closes May 26)
The article is finally out and can be read here.
I am unfortunately experiencing a rough chronic illnesses flare up, so my next research article will likely be delayed.
Feature your business in Canadian Cyber in Context through sponsorship.
Canadian News
Nearly 600 people had unauthorized access to Alberta’s electors list, watchdog alleges
More developments in the Alberta Electoral List Scandal
DHS Demanded Google Surrender Data on Canadian’s Activity, Location Over Anti-ICE Posts
This is exactly what others and I have been warning about regarding exposure to United States tech companies, particularly the hyperscalers. Homeland Security is demanding information about the person based on a 1930s trade law, which highlights that the government doesn’t need to use the United States CLOUD Act to go after Canadians and Canada. We also much contend with that this is likely not the only one, but the person one we’re hearing about.
CTV Coverage: U.S. government wants Google to share data on unidentified Canadian Trump critic
Paywalled, but a tremendous investigation and work here
Ottawa plans to spin off federal semiconductor facility into “commercial entity”
I am a bit worried about this plan, but has a lot of potential.
Google now offers up to $1.5 million for some Android exploits
Google offers big money to hackers and security experts to report bugs to Google rather than exploit them.
Google’s announcement about changes to bug bounting: Evolving the Android & Chrome VRPs for the AI Era
Educational company Instructure reports cyber incident
Instructure is the company behind Canvas, which is widely used in Canada.
The breach of Instructure has led to the massive breach and ransom of Canvas.
A cyberattack hit universities worldwide, including top Canadian schools. Here’s what we know
U of T, OCAD amongst Ontario universities impacted by Canvas cyber breach
UBC, SFU among thousands of universities affected by Canvas software cyber breach
This is hitting right when many schools are holding finals. Ransomware criminals are smart and know this is the time for maximum pressure.
U.S., Russia interfering in Alberta separatist debate, study says
Of no surprise. We already know the Trump admin is provided tacit support, and Russia always loves an instance to support division.
Report from DisinfoWatch and Global Centre for Democratic Resilience here.
Canadian government to pay $8.7M to settle data breach class-action involving CRA accounts
Covers the breaches during the high of COVID. Being administered by KPMG through this portal.
Canadian Shield Institute releases Chapter 1 of Foundations of Digital Sovereignty
Canadian Shield Institute is quickly becoming the go-to think tank on digital and emerging technology issues affecting Canada.
OpenAI didn’t respect Canadian privacy law when it trained ChatGPT: investigation
Yes, good this was confirmed, but there will likely be very little teeth or response to ensure compliance or punishment for this. As a result, corporations will be encouraged to do this in the future because OpenAI got away with it.
The problem isn’t the lawful access, it is the mechanisms to enable it which can make it easier for everyone except law enforcement.
Apple argues Liberals’ lawful access bill could put users’ personal data at risk
Apple rarely engages in the Canadian policy/legal space, so it is always noteworthy when they comment.
‘We are not at war, but we’re not at peace either,’ warns German cyber chief
Meetings between Germany's Cyber Head and CAFCYBERCOM. But of course, this article doesn't expand on that at all and gives us a "supply chain that is worried about cyber" as if it's from 2022.
This woman’s identity was stolen in a CRA hack. Why hasn’t the impostor been charged in her case?
A great article on gaps in CRA’s ability to address fraud and cybercrime.
Intelligence Commissioner suggesting they would like more visibility into CSE’s support of cybersecurity incidents.
“Spring Economic Update 2026 proposes to provide $75 million over five years, starting in 2026-27, to Public Safety Canada for the Canada Community Security Program (CCSP)”
Office of the Intelligence Commissioner released its Annual Report 2025
“The math is not mathing”: How AI bubble fears are changing Canadian VCs’ investment approach
Honestly a bit surprised to see some coverage of this, but I hope it’s a growing trend.
Canada to create AI and Labour Advisory Council, Solomon says
Yet the government has almost nothing to launch the Canadian Cyber Defence Collective.
[French, Google Translated] Quebec meets with the Belgian data center ecosystem
Digital sovereignty and defence innovation were both discussed.
Head of CRTC Speech on Modernizizing Canada’s Broadcasting Framework
Includes some discussion of Internet policies and competition.
Minister Solomon to make announcement supporting sovereign large-scale data centre
Government of Canada to announce investments to strengthen B.C. tech sector and help businesses grow
Announcement later today (May 11) at 11:00AM, but investments for commercializationn of AI and quantum technologies.
Canada-Relevant News
As many issues don’t respect borders, this section is for stories that impact Canada, but may not be Canadian-sourced or focused, to differentiate from the previous section, which is 100% focused on Canada
Absolutely unhinged, unethical behaviour by Google.
More Than a Third of All New Podcasts Are AI-Generated
I have known people to get scammed by these podcasts, or podslop.
Cybercriminals Are Complaining About AI Slop Flooding Their Forums
This potentially opens up an amazing way for law enforcement and enterprising businesses to target cyber criminals: flood their forums with AI slop.
A hacker ran me over with a robot lawn mower
The makers of this lawnmower should be sued for what is so easily accessible from these mowers: Exact GPS coordinates. Email addresses. Wi-Fi passwords.
Sovereign cloud is only possible if you’re Chinese or American: Gartner
“Toombs said that while US-based cloud vendors have created products they say can meet the needs of organizations that need a cloud that doesn’t have legal entanglements outside their chosen jurisdiction, the fact they’re ultimately owned by American corporations means it’s not possible to be certain a cloud provider can promise complete sovereignty.”
Musk’s AI told me people were coming to kill me. I grabbed a hammer and prepared for war
Grok/X has shown to systematically produce so much harm.
Canadian Cyber Threat Intelligence
While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.
Hackers are mass-exploiting the cPanel bug to gain control of thousands of websites
This will likely be a problem for a while as there will certainly people who will not update/do not realize they need to update or mitigate against this.
DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026 (h/t Catalin Cimpanu)
What you may not hear in a lot of the reporting of this is that daemon tools is a very popular software for piracy.
Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk
Microsoft loves to make things easy for attackers.
AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours
New Linux ‘Dirty Frag’ zero-day gives root on all major distros
Big yikes on this one.
Massive “Low and Slow” DDoS Attack Hits Platform With 2.45 Billion in 5 Hours
Report by Galileo suggests bots are getting stealthier.
Attackers Use Windows Screensavers to Drop Malware, RMM Tools
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
Have your business and logo featured in Canadian Cyber in Context with a sponsorship.
Research, Op-Eds, and Events
Civil Society to Parliament: Kill Bill C-22
Ron Deibert, Director of Citizen Lab, publishes open letter about Bill C-22
Op-ed by Francois Guay of Canadian Cybersecurity Network in conversation with Steve Waterhouse
The Governance Gap: Why Canada Must Strengthen Its Critical Infrastructure Standards
European Parliament Think Tank: Virtual private networks and the protection of children online
Refers to VPNs as a “loophole.” Although just a research report, the growing trend against VPNs as privacy is being attacked online is a cause for concern.
United States News
Foxconn Wisconsin production halt raises cyber questions (h/t Catalin Cimpanu)
Is it DNS or ransomware?
IBM security executive emerges as possible contender to lead CISA
CISA is being allowed to wither and die, so it’s hard to say if the new pick will even be confirmed or if he will help to increase confidence.
A DOD contractor’s API flaw exposed military course data and service member records
Cyberattack hits Canvas system used by thousands of schools as finals loom
US-focused coverage here. Including additional coverage of Canvas hack because this is a MASSIVE breach.
White House distances itself from tighter AI regulation
There has been some discussion of the White House conducting security reviews of certain frontier/advanced AI models, but this suggests that there won’t be a straight regulation, but voluntrary partnership. As far as I know, White House wouldn’t necessarily be able to unilaterally establish regulations in this manner in the first place without the support/approval of Congress, but as we’ve seen, the United States no longer cares about the rule of law.
US telecom agency votes to expand tech crackdown on China
FCC unanimously voted to propose banning “all Chinese labs from testing electronic devices such as smartphones, cameras and computers for use in the United States.”
Two Americans Who Attacked Multiple U.S. Victims Using ALPHV BlackCat Ransomware Sentenced to Prison
DOD planning to address compute ‘bottleneck’ that could hinder AI proliferation
Forbes preliminarily agrees to pay $10 million to settle California wiretapping lawsuit
California is one of the few US states that has historically been a trend setter in pro-consumer behavior and have had the weight to influence the broader economic trends. With that said, $10 million is a drop in the bucket of what they likely earn on selling people’s data.
GM to pay over $12 million in California privacy settlement involving driver data
Same in this case. The amount that companies are fined are rarely punitive. When you make businesses pay fines that are little more than the cost of doing business, it only encourages them to do it more.
OET Announces Extension and Expansion of Waivers
The FCC is providing some leeway to provide security update devices such as banned foreign routers and drones.
Hondurasgate website under sustained Attack (H/t Risky Bulletin)
The website of the report which suggests that the United States and Israel plot to destabilize countries in South America has come under sustained attack through cyberspace via instrusion attempts on the website and DDoS.
Wouldn’t normally cover this, but the attacks reaise suspicions.
Virginia man found guilty of deleting 96 government databases
Major failure of the company in its initial background checks that allowed a felon previously convicted of computer-related criminal charges to commit additional crimes and ruin a company’s reptutation and business.
United Kingdom and European Union News
Dutch consumers launch mass lawsuit against Odido over data breach affecting 6.2 million customers
Being sued by Consumers United in Court who allege Obido failed to protect personal information properly and were “insufficiently transparent and failed to comply with its reporting obligations.”
Poverty and technology leading to record levels of slavery in UK
Many countries are currently looking to modernize their surveillance and lawful access laws. (Sounds redundant to differentiate)
Welcome to the GRU University, Where Moscow Turns Students into Spies and Hackers
Revealed: Russia’s top secret spy school teaching hacking and election meddling
This is a massively important leak. Not much was publicy known about the GRU’s recruitment and training process prior to this, and now this opens a lot to understand their doctrine and institutional approaches to cyber.
Polish intelligence warns hackers attacked water treatment control systems
Russian hackers have been battering critical infrastructure the past few years.
Will ban nudification tools and delay the implementation of key provisions of the EU AI Act.
NVIDIA confirms GeForce NOW data breach affecting Armenian users
Compartmentalization ensured this wasn’t a global breach, but still bad for Armenian users.
Elon Musk faces criminal probe in France as prosecutors escalate X’s AI Investigation
One can hope that the French will do what is right and lay criminal charges on this serial criminal and fraud.
Taxi app fined €100 million over Russian data transfers
Yango fined 100 million euros for breaching GDPR by transfering personal data to Russia without adequate safeguards. Shows you just how much Netherlands and EU take privacy more seriously than the US and Canada.
Other International News
Student hacked Taiwan high-speed rail to trigger emergency brakes
Not quite clear why the 23 year old hacker did this, but highlights a major vulnerability in the system that could have been much worse.
Australia: The Cyber Incident Review Board
Australia does a lot of dumb in broader cyber governance, but they’ve generally had a good and engaged approach to cyber security and defence. I’m quite jealous. Canada needs this, as the government hides so much when major cybersecurity incidents occur.
Iranian government hackers using Chaos ransomware as cover, researchers say