Canada’s House of Commons

Canada’s House of Commons suffered a cyberattack where unidentified threat actors exploited a **recent Microsoft SharePoint vulnerability (CVE-2025-53770, 'ToolShell')** to breach its systems. The attack resulted in the theft of **sensitive employee data**, including names, email addresses, job titles, office locations, and device information from employee computers and mobile devices. The breach was confirmed via an internal email to staff, with investigations ongoing by the House of Commons and Canada’s Communications Security Establishment (CSE). The vulnerability has been linked to multiple high-profile breaches, including those by **Chinese state-sponsored groups**, and has previously compromised entities like the **US National Nuclear Security Administration** and **Rhode Island General Assembly**. Employees were advised to remain vigilant against potential follow-up phishing or malicious communications. Attribution remains unclear, but the exploit aligns with a broader trend of SharePoint-based attacks.

Source: https://www.techradar.com/pro/security/canadas-house-of-commons-hit-by-cyberattack-data-possibly-leaked-online-could-microsoft-sharepoint-be-to-blame

TPRM report: https://www.rankiteo.com/company/houseofcommons-

"id": "hou839081625",
"linkid": "houseofcommons-",
"type": "Breach",
"date": "6/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'industry': 'Legislative/Government',
                        'location': 'Canada',
                        'name': 'House of Commons of Canada',
                        'type': 'Government Institution'}],
 'attack_vector': ['Exploitation of Microsoft SharePoint Vulnerability '
                   "(CVE-2025-53770 / 'ToolShell')"],
 'data_breach': {'data_exfiltration': ['Confirmed (data stolen by threat '
                                       'actors)'],
                 'personally_identifiable_information': ['Names',
                                                         'Email addresses',
                                                         'Job titles',
                                                         'Office locations'],
                 'sensitivity_of_data': ['Moderate to High (includes PII and '
                                         'internal device details)'],
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Employee metadata',
                                              'Device information']},
 'description': 'Canada’s House of Commons suffered a cyberattack where '
                'unnamed hackers exploited a recent Microsoft SharePoint '
                'vulnerability (suspected to be CVE-2025-53770, aka '
                "'ToolShell') to access a database containing sensitive "
                'employee information. Stolen data includes employee names, '
                'email addresses, job titles, office locations, and device '
                'information. The incident is under investigation by the House '
                'of Commons and Canada’s Communications Security Establishment '
                '(CSE). Employees were advised to remain vigilant against '
                'potential phishing or malicious communications.',
 'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
                                        'sensitive data exposure'],
            'data_compromised': ['Employee names',
                                 'Email addresses',
                                 'Job titles',
                                 'Office locations',
                                 'Device information (computers and mobile '
                                 'devices)'],
            'identity_theft_risk': ['High (due to exposure of PII like names, '
                                    'email addresses, and job titles)'],
            'systems_affected': ['Microsoft SharePoint Server',
                                 'Employee database']},
 'initial_access_broker': {'entry_point': ['Microsoft SharePoint Server (via '
                                           'CVE-2025-53770)'],
                           'high_value_targets': ['Employee database']},
 'investigation_status': ['Ongoing (by House of Commons and CSE)'],
 'post_incident_analysis': {'root_causes': ['Exploitation of unpatched '
                                            'Microsoft SharePoint '
                                            'vulnerability (CVE-2025-53770)']},
 'ransomware': {'data_exfiltration': ['Yes (data theft confirmed)']},
 'references': [{'source': 'CBC News'},
                {'source': 'BleepingComputer'},
                {'source': 'Canada’s Cyber Centre (Warning about '
                           'CVE-2025-53770)'},
                {'source': 'TechRadar Pro'}],
 'response': {'communication_strategy': ['Internal email to employees warning '
                                         'of vigilance against '
                                         'phishing/malicious communications'],
              'incident_response_plan_activated': ['Yes (Investigation ongoing '
                                                   'by House of Commons and '
                                                   'CSE)'],
              'third_party_assistance': ['Canada’s Communications Security '
                                         'Establishment (CSE)']},
 'stakeholder_advisories': ['Internal email to employees'],
 'threat_actor': ['Unnamed (Speculated: Possibly Chinese state-sponsored '
                  'groups)'],
 'title': 'Cyberattack on Canada’s House of Commons Resulting in Sensitive '
          'Employee Data Theft',
 'type': ['Data Breach', 'Cyberattack'],
 'vulnerability_exploited': ['CVE-2025-53770 (ToolShell)']}