Cyber Incident Victim: Ontario Public Service Employees Union
Date:
Apr 2025
Location:
Canada
Summary
The Ontario Public Service Employees Union experienced a cybersecurity incident involving unauthorized access to its IT systems by sophisticated actors. The organization implemented immediate countermeasures, engaged third-party cybersecurity experts for investigation and remediation, and notified law enforcement and legal counsel. This caused operational disruptions, including unavailability of the Member Portal, while restoration efforts are underway. The investigation into whether any data was compromised remains ongoing and unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 2, 2025, the Ontario Public Service Employees Union (OPSEU/SEFPO) discovered that an unauthorized third party had accessed its IT systems. The union, representing 180,000 public sector workers in Ontario, stated that all signs indicated this was an attack by sophisticated actors and not a failure of its IT team or systems. Upon discovery, OPSEU immediately implemented countermeasures to contain the incident. The union engaged third-party cybersecurity experts to assist with containment, remediation, and conducting a thorough investigation to determine the cause and extent of the breach. OPSEU also involved external legal counsel and law enforcement agencies. The investigation remained in its early stages at the time of reporting, focusing on reviewing and validating systems before gradually bringing them back online. Disruptions to normal operations were expected during this period.
OPSEU notified its members of the cybersecurity incident on April 3, 2025, via a message on its website and email. A key impact was the immediate unavailability of the Member Portal. The union advised members needing assistance to contact specific email addresses for convention matters, event registrations, hotel bookings, time-off letters, member claims, or their Staff Representative for other inquiries. By April 6, the union reported regaining access to its communication tools and being in the process of restoring its servers, indicating progress towards resuming normal operations. OPSEU could not confirm if any data held by the union, including personal information, had been compromised. The union committed to promptly notifying affected individuals and providing resources should the investigation reveal personal information was impacted. Members were encouraged to monitor their financial accounts for suspicious activity and report it to their banks immediately. They were also cautioned about unsolicited communications requesting personal information and instructed to report any suspicious communications appearing to come from OPSEU to a designated email address. Toronto police deferred all inquiries about the incident back to the union.