Overview Of The Threat Horizon: 2026 Data Breach Insights – Part 1

Breaches were a significant and costly issue for companies in 2025. According to an IBM report published in July 2025 – the Cost of a Data Breach 2025 (“IBM Report”) – the average cost of a breach in Canada was CAD$6.6 million.¹ Costs from breaches arise from operational disruptions, incident response (e.g. forensics and e-discovery), and compliance with applicable (and often overlapping) privacy laws, including breach notifications and record-keeping requirements. In Quebec, the Act respecting the protection of personal information (“Quebec Act”) permits severe fines related to breaches and breach response, potentially reaching 2% of global turnover or CAD $10 million for administrative monetary penalties, and up to 4% or CAD $25 million for penal fines.² In light of the high costs resulting from breaches companies should diligently monitor the threat landscape to enhance preparedness and risk mitigation strategies.

Against this backdrop, this article provides an overview of the principal external and internal cyber threats expected to shape breach risk for Canadian organizations in 2026. The analysis begins with the external threat horizon, examining the expanding pool of threat actors, the increasing sophistication of attacks – particularly those enabled by artificial intelligence (AI) – and the growing impact of ransomware, supply‑chain compromise, and attacks on AI‑driven enterprise systems. It then turns to internal threats, including human error, shadow IT, and the legal consequences that can flow from employee misuse of data. Together, these sections are intended to help organizations better understand the risk environment they face and to inform practical mitigation strategies as cyber threats continue to evolve.

Key takeaways

• Data breaches remain a high‑impact business risk in Canada. Breach costs continue to rise, and organizations face significant regulatory exposure (particularly in Quebec) making preparedness and governance essential.
• The external threat landscape is broader, faster, and more professionalized. Cybercrime‑as‑a‑Service (“CaaS”) and AI‑enabled tooling have lowered barriers to entry and increased the scale, sophistication, and unpredictability of attacks. We’re seeing notable advancements in ransomware and social engineering sophistication.
• Supply‑chain and AI‑centric attacks are emerging as systemic risks. Vendor concentration and growing reliance on enterprise AI systems create new breach vectors.
• Internal threats remain a leading cause of breaches and legal exposure. Human error, shadow IT, and employee misuse of data continue to drive incidents, reinforcing the need for strong internal controls, training, and a culture of compliance.

I.The External Threat Horizon

A. External Threat Outlook

In recent years, many companies have accepted the harsh reality that it’s less about “if” and more about “when,” “how severe,” and “how ready we’ll be” when external threat actors successfully penetrate their defenses. This sentiment is shared by the Canadian Centre for Cyber Security (“CCCS”). In its National Cyber Threat Assessment 2025-2026 (“NCTA 25/26”), the CCCS writes that “Canada has entered a new era of cyber vulnerability where cyber threats are ever-present, and Canadians will increasingly feel the impact of cyber incidents that have cascading and disruptive effects on their daily lives.”³

(i) Increase in the Number of Threat Actors

The CCCS explains that the threat landscape is expanding in part because of the growing prevalence of CaaS models. Under CaaS, sophisticated threat actors develop and commercialize exploit kits, data‑theft tools, ransomware, and other offensive capabilities, which are then sold or leased to less technically capable criminals through underground marketplaces. This model significantly lowers traditional barriers to entry and increases the overall number and diversity of active threat actors. The Google Cloud Cybersecurity Forecast 2026 (“Google Report 2026”) supports this assessment, noting the emergence of a mature, industrialized cybercrime ecosystem in which attackers increasingly leverage AI‑enabled tooling to amplify the speed, reach, and effectiveness of these service‑based attacks.⁴

The combined effect is a dramatic lowering – and in some cases removal – of traditional skill barriers, which increases the overall number, diversity, and geographic reach of external threat actors.

(ii) Increased Sophistication

AI powered tools. A major factor that is reshaping the risk landscape is the rise in the use of high-quality tools powered by AI by threat actors. In the NCTA 25/26, the CCCS writes that “AI technologies are almost certainly […] enhancing the quality, scale, and precision of malicious cyber threat activity.”⁵ Agentic systems (i.e., AI systems capable of autonomously planning and executing tasks across multiple stages of an attack with minimal human oversight) are increasingly being used to scale and accelerate cyberattacks.⁶

CaaS. In addition to lowering the barriers to entry for threat actors, CaaS is also shaping the operations of established criminal enterprises. The Google Report 2026 describes a mature, industrialized cybercrime ecosystem in which specialized groups supply zero‑day exploitation tools, managed file‑transfer exploitation kits, sophisticated social‑engineering modules, and infrastructure for data theft and extortion campaigns. This professionalization allows criminal groups to augment and scale existing operations, producing higher‑impact attacks with greater operational efficiency.⁷

(iii) State-sponsorship

Geopolitical conflicts, tensions, and rivalries involving Canada or its allied partners remain elevated at the time of writing. In this context, cyber operations have become a persistent feature of statecraft, and state‑sponsored cyber activity now represents a significant and growing threat to Canadian organizations – particularly those operating in critical infrastructure, government, research, and technology sectors. The World Economic Forum’s Global Cybersecurity Outlook 2026 (“WEF Report 2026”) found that 64% of surveyed organizations are accounting for geopolitically motivated cyberattacks.⁸

According to the CCCS, state-sponsored actors are among the most sophisticated and well-resourced threat groups.⁹ Their objectives often include espionage, intellectual property theft, and the disruption of essential services.¹⁰ The impact of such activities can be severe, resulting in the loss of sensitive data, operational disruptions, and even risks to national security.

B. Key External Threats

The following external threats are expected to pose significant risks to companies throughout 2026.

(i) Ransomware

Ransomware remains one of the most persistent and financially disruptive threats. The NCTA 25/26 reports that ransomware “will almost certainly continue to grow in the next two years”, noting that ransomware actors have likely recovered from (and adapted to) heightened law enforcement pressure and other disruptions to the ransomware ecosystem in recent years.¹¹

Companies should take note of the following trends in ransomware when developing their prevention and response strategies.

• Affiliate‑Centric Ransomware‑as‑a‑Service (RaaS): In the RaaS model, parent threat actor organizations tend to sell or lease their ransomware variant to affiliates. One notable result of this “white-labelled” outsourcing to affiliates is an increased volatility in threat actor behavior.¹² For instance, Victim Company A might have a very different experience than Victim Company B when dealing with the same general threat actor organization. It is entirely possible that upon payment, one victim might get a functional decryption key and assurances that its compromised data will be deleted, while the other victim might get a dysfunctional key and have their data published on the dark web.
• Better obfuscation tactics: Threat actors are continuously developing new tactics and strategies to better hide themselves within a victim environment. The NCTA 25/26 reports that threat actors are using increasingly advanced encryption techniques to make it harder for victims to recover their data (e.g. hybrid, multi-layered encryption). Threat actors are also “living off the land” – remaining in the victim network undetected – for longer periods of time to increase their lateral movement and attack effectiveness before dropping a ransom note.¹³

(ii) Social Engineering

Social engineering attacks, such as phishing, pretexting and impersonation, are expected to persist as a major external threat. The Google Report 2026 warns that AI‑enabled social engineering will intensify in 2026, with attackers using AI‑generated deepfake audio to impersonate executives or IT staff, highly tailored, error‑free phishing content, and AI‑assisted reconnaissance to create credible pretexts. AI‑generated messaging increasingly avoids the detectable cues (typos, awkward syntax, poor personalization) that traditionally signaled a fraud attempt. As a result, social engineering attacks are expected to become significantly more convincing and scalable.¹⁴

(iii) Supply Chain Attacks

As companies continue to embrace digital transformation and integrate sophisticated technology stacks, their dependence on specialized vendors that provide these advanced solutions also grows. Most companies rely on third-party vendors for key business functions such as enterprise-wide hosting (e.g., AWS and Azure) and enterprise resource planning solutions, which may include customer relationship management (CRM) and human resource management (HRM). Most of these vendors will process sensitive data belonging to the company, including personal information of employees and customers.

The NCTA 25/26 reports that vendor concentration is increasing cyber vulnerabilities.¹⁵ As customers concentrate around the same large technology vendors, such vendors become centralized hubs of large amounts of data. This concentration makes them attractive targets for threat actors, who, by compromising a single vendor, can potentially gain access to the sensitive data of many companies at once. A good example dates to 2023 when CLOP – a ransomware strain – was used to attack the file transfer provider used by thousands of companies globally, MOVEit. According to the NCTA 25/26, this single breach impacted approximately 2,750 other companies, 94 million individuals, and resulted in approximately USD$100 million in ransom payments.¹⁶

Under Canadian privacy laws, a company remains accountable for personal information that it shares with a third-party vendor for processing on its behalf. Consequently, if a company’s vendor is breached and personal information belonging to the company is compromised, depending on the facts, the incident may also be considered to be a breach of the company. In such situations, the company must ensure that any response satisfies its own mandatory breach record-keeping and notification obligations under privacy laws. This underscores the critical need for companies to exercise stringent oversight and enforce robust data protection measures (including strong contractual controls) when engaging with third-party vendors.

(iv) AI‑Centric Attacks on Enterprise Systems

As organizations increasingly embed AI‑driven tools into core business processes, threat actors are beginning to target these systems directly. The Google Report 2026 highlights a growing risk of attacks aimed at manipulating or abusing enterprise AI, including through techniques such as prompt‑injection, which can cause AI systems to bypass safeguards and execute unauthorized actions.¹⁷ These attacks are expected to evolve from isolated proof‑of‑concept exploits into more coordinated campaigns involving data exfiltration, sabotage, or corruption of AI‑generated outputs.¹⁸ As reliance on AI increases, these AI‑centric attack vectors are poised to become a distinct and material component of the broader breach landscape.

(v) Critical Infrastructure

Critical infrastructure environments remain particularly ripe for cyber targeting due to their operational complexity, legacy technologies, and the potentially outsized consequences of disruption. The NCTA 25/26 assesses that Canada’s state adversaries very likely view civilian critical infrastructure as a legitimate cyber target, especially via ransomware.¹⁹ In this setting, state‑sponsored cyber activity goes beyond espionage to include pre‑positioning for future disruption or destruction.²⁰

C. Mitigation Strategies

Companies should consider including the following in their strategies to mitigate the external threats identified above.

(i) Incident Response Plan

An incident response (IR) plan that evolves with the threat landscape is an incredibly useful tool to help keep the company organized when a breach occurs. Given the current threat landscape, it is imperative for companies to update their IR plans regularly and test them against realistic scenarios to effectively address the persistent threat of attack. Responding to an attack tends to require the help of certain service providers, namely for ransom negotiation and forensics. Therefore, it’s critical for the IR plan to delineate a clear strategy that enables the company to maintain legal privilege throughout the incident response process. This includes the engagement of legal counsel and ensuring that communications and activities during the response are appropriately protected.

The IR plan should incorporate lessons learned over time. Companies should conduct simulations – often referred to as tabletop exercises (or, TTXs) – to test the effectiveness of their IR plans. These simulations should incorporate elements that are characteristic of the current threat landscape, such as the erratic nature of a ransomware affiliate or the hyper realistic content in an AI-powered social engineering attack. Following such simulations or a real-life breach, a company should adjust its IR plan to reflect gaps in its response.

(ii) Data Hygiene

Companies should only retain sensitive data (notably, personal information) for as long as reasonably necessary to fulfill the purposes for why such information was collected (or as otherwise legally required). Not only is hygienic retention a requirement under Canadian privacy laws for personal information, but it is a good strategy to mitigate the risk of an attack by giving threat actors less data to encrypt and exfiltrate. In practice, this means that companies should know what data they have (i.e., data mapping) and implement a data retention policy and process with clearly defined retention periods. Information governance is a challenge for most organizations – pragmatic approaches can include reducing exposure through archiving (i.e., offline storage) and de-identification.

Similarly, when it comes to sharing personal information with third-party vendors, companies must exercise diligence by restricting the data shared to only what is necessary for the vendor to perform their contracted services. This targeted approach to data sharing helps mitigate the heightened risk of breaches that may occur when threat actors target centralized vendors with access to large volumes of data.

(iii) Vendor Management

Companies should consider the following in building their vendor management strategy:

• Vendor Diligence. Companies should have a standard process for assessing their vendors’ security and privacy controls. Given the ever-present threat of ransomware, companies should pay extra attention to controls that mitigate this risk, such as looking into the encryption standards used by the vendor for data at rest and in transit, data segregation methodologies, subcontractor and sub-processor controls, and data backup requirements. Moreover, with the rise of AI-backed products and services, such diligence should also consider which AI systems will be used by the vendor to process the company’s data or interact with its systems.
• Contractual Safeguards. Appropriate contractual controls are another necessary component of a vendor management strategy. Companies should consider including the following in their vendor contracts:
• Breach Notification. The contract should provide a clear definition of breaches along with a set of vendor obligations that would permit the company to comply with its obligations under applicable laws (and in particular, privacy laws). These obligations should include (i) reporting the breach to the company promptly and in all cases, within a maximum time period, (ii) sharing information about the breach with the company as is reasonably required for the company to comply with its record-keeping and notification obligations and (iii) taking prompt containment and remediation steps.
• Clarity on Notification Obligations in the privacy context. There is a history of confusion about which party has the notification obligation in Canada for breaches involving personal information. While we don’t formally have ‘controller’ or ‘processor’ roles under Canadian private sector privacy laws as there are under the European Union’s GDPR, we do have a principle that a company remains accountable for personal information under its control. However, it is almost always better to clearly delineate which party is responsible for breach notification, particularly when getting into gray areas such as where personal information is “disclosed” to the vendor for the vendor’s own purposes (i.e., the vendor is not processing the data on the company’s behalf). In such scenarios, the breach notification obligations may not clearly fall on the vendor and/or the company. It is important to have this discussion with a company’s vendors and then make sure that the correct roles are assigned to each party in the contract.
• Allocation of Liability. When it comes to indemnities for breaches, the discussion frequently centers around the mere allocation of risk. However, companies should adopt a more nuanced approach, focusing on specifics such as who will manage the breach response and who will bear the financial burden associated with it. Negotiations over indemnities and limitations of liability should move beyond mere positional bargaining. Vendors and processors that engage with a sophisticated and well-considered strategy should offer more substantial provisions than just a ‘stretch’ liability cap. These provisions might include detailed response obligations, clear definitions of covered damages, and a thoughtful balance of risks and responsibilities that align with the actual potential impact of a breach.

II. Internal Threat Horizon

A. Internal Threat Outlook

Companies often focus on external threats when assessing breach risk, but a significant number of incidents involve insiders. Internal threats may arise from malicious internal actors, but more commonly stem from human error, misjudgment, or insufficient training.

(i) Human Error

According to Verizon in its 2025 Data Breach Investigations Report (“DBIR 2025”), 65% of “internal actor breaches” were indeed caused by human error.²¹ The DBIR 2025 identifies misdelivery as the most prevalent action associated with human‑error‑driven incidents, reflecting the frequency with which data is unintentionally disclosed to the wrong recipient.²²

Breaches caused by employee error may be attributed to negligence, insufficient skills, or a blend of the two. Although human fallibility means that individuals may occasionally exhibit negligence, companies can proactively reduce this risk by ensuring their workforce is appropriately skilled and trained. The WEF Report 2026 shows that deficiencies in cybersecurity skills remain an important driver of organizational vulnerability.²³ The cybersecurity skills gap will likely contribute to the occurrence of breaches in 2026 as companies adopt complex technologies that employees may not be sufficiently skilled or trained to handle securely.

(ii) Shadow IT

Another significant internal risk arises from the use of unsanctioned applications and technologies, often referred to as “shadow IT.” Employees may adopt unauthorized tools, including file‑sharing platforms, collaboration apps, or generative AI (“GenAI”) tools. Employees may be trying to improve efficiency or convenience, but such uses can create blind spots in an organization’s security and privacy controls. Unsanctioned GenAI tools are of particular concern, as they may involve the input of sensitive or personal information or company data into systems that lack appropriate safeguards, contractual protections, or visibility for the organization.²⁴ These tools can introduce unauthorized data disclosures, cross‑border data transfers, and secondary use of information outside the company’s control. Where employees lack clear guidance or training on approved technologies, the risk of inadvertent breaches driven by shadow IT increases, underscoring the importance of governance, clear policies, and user awareness around permissible tools and data handling practices.

(iii) Vicarious Liability For Employee Misuse of Data

At least in the privacy context, Courts have increasingly expanded the doctrine of vicarious liability, holding companies responsible for employee misconduct that results in a breach. In Ari v. Insurance Corporation of British Columbia, the Supreme Court of British Columbia found the Insurance Corporation of British Columbia (ICBC) vicariously liable for its employee’s unauthorized access and sale of customer information, which was later used by third parties to carry out attacks. The Court emphasized that ICBC created the risk by placing the employee in a position where she could improperly access personal information and that her misconduct was closely connected to her employment. ICBC argued that the criminal acts of third parties were unforeseeable intervening events, but the court rejected this, finding that once the employee disclosed the information, ICBC lost control over how it would be used, which made the subsequent harm sufficiently connected to the breach. This case highlights the increased legal exposure for employers when insiders misuse personal information and reinforces the need for strong internal safeguards, access controls, and proactive monitoring to prevent and detect privacy violations.²⁵

B. Mitigation Strategies

(i) Culture of Compliance

Getting ahead of the skills gap and shadow IT issues is of significant importance for companies to mitigate the risk of internal breaches. Central to their approach should be the establishment of a culture that prioritizes privacy and security compliance. Such a culture should encourage all employees – and not just the CISO or Privacy Officer – to be vigilant at all times and to escalate and ask questions whenever they are unsure about a potential risk.

(ii) Documented Policies and Procedures

Cultivating a culture of compliance starts with documenting the company’s privacy and security principles and controls. It’s essential for the entire workforce to grasp the fundamental principles outlined in these documents, as this understanding is key to instilling the correct reflexes and behaviors necessary for upholding the company’s security standards.

It is crucial that a company’s policies and procedures evolve with the risk landscape. Looking ahead, companies should prioritize the documentation of their strategies concerning the lawful and ethical use of AI. Even though there is no general AI regulation in Canada at present, companies must still operate within the bounds of the existing legal frameworks. Company policies should clearly delineate the specific risks associated with AI and establish a robust governance framework that outlines how employees can responsibly utilize these technologies.

(iii) Role-Based Training

Closing the skills gap also requires training. Mandatory privacy and security training for all employees is essential and should be conducted regularly. Such training should build upon the company’s policies and procedures – bringing them to life – and should account for role-specific risks.

Conclusion

Data breaches are becoming more common and are expected to remain a significant threat to Canadian businesses through 2026. This trend is driven by an anticipated rise in ransomware attacks, sophisticated social engineering tactics, and disruptions in supply chains, along with enduring insider threats often resulting from human error. While the rapid development and adoption of AI technologies offer numerous advantages – including for bolstering cybersecurity capabilities, they also introduce new risks to the privacy breach landscape. The intricate nature of AI tools may exacerbate the likelihood of breaches due to human mistakes, while simultaneously providing cybercriminals with more advanced methods for executing their attacks. Addressing these risks is important to mitigate the potentially costly consequences of a breach. Stay tuned for the upcoming entry in our blog series, where we delve into the evolving legal framework surrounding breaches.

This article is part of our 2026 Data Breach Insights series, designed to help companies navigate the evolving data breach landscape. As threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To help you stay ahead of these challenges, each part of this series provides actionable insights on data breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.

What we mean by “data breach”

When people hear “data breach,” they often think only of incidents involving personal information. In this series, we use the term more broadly. We’re looking at any security incident where sensitive or confidential data is accessed, exfiltrated, published, changed, wiped, or made unavailable without authorization – whether that data belongs to individuals or to the business itself. That includes everything from intellectual property and financial records to operational systems taken offline by ransomware.

To learn more about how our Cyber/Data Group can help you navigate the cyber and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

Footnotes

1 IBM Report, p.11 [LINK]. The IBM report presents the cost figure in U.S. dollars. The amount of CAD $6.6 million represents a conversion to Canadian dollars based on the exchange rate in effect as of the date of this writing.

2 Quebec Act, s. 90.12 and 91.

3 NCTA 25/26, p. 8 [LINK].

4 Google Report 2026 [LINK]

5 NCTA 25/26, p. 32.

6 Google Report 2026, p. 4.

7 Google Report 2026, p. 5, 7, 8.

8 WEF Report 2026 [LINK], p. 5.

9 NCTA 25/26, p. 10-18.

10 NCTA 25/26, p. 10-18.

11 NCTA 25/26, p. 22, 23.

12 NCTA 25/26, p. 24, 28.

13 NCTA 25/26, p. 29.

14 Google Report 2026, p. 5-6.

15 NCTA 25/26, p. 36.

16 NCTA 25/26, p. 23.

17 Google Report 2026, p. 4-6.

18 Google Report 2026, p. 4.

19 NCTA 25/26, p. 25.

20 NTCA 25/26, p. 7,8, 12-17.

21 DBIR 2025 [LINK], p. 22.

22 DBIR 2025, p. 60.

23 DBIR 2025, p. 49-50.

24 DBIR 2025, p. 24-25.

25 Ari v. Insurance Corporation of British Columbia, 2022 BCSC 1475.

To view the original article click here