A National-Scale Breach
On October 14, 2025, Canadian Tire Corporation confirmed a data breach affecting several of its banners, including SportChek, Mark’s, and Party City. The compromised information includes names, mailing addresses, emails, birth years, and encrypted passwords. For approximately 150,000 customers, full birth dates may also have been exposed. (source : La Presse )
But things escalated quickly. On October 21, a cybercriminal claimed on a hacker forum that they were in possession of a database containing 41,994,793 profiles, nearly 40 million with passwords. The full database was reportedly put up for sale on the dark web for $100,000 USD. (source : Journal de Montréal)
This breach, targeting one of the most iconic retail brands in Canada, dominated the headlines. But beyond the media noise, it reveals a harsh truth: many SMEs are just as vulnerable — if not more.
A Harsh Reality: SMEs Are Not Ready
Unlike giants like Canadian Tire, most SMEs lack the resources and structured protocols to manage a major security incident. Yet they, too, hold sensitive data: customer details, financial information, contracts, and more.
Even more concerning, studies like the BDC’s 2024 report show that nearly 60% of Canadian SMEs have no formal incident response plan. Many rely on luck — or basic antivirus software — as their main line of defense. A risky gamble in an age of increasingly targeted cyberattacks.
What Canadian Tire Teaches Us (or Reminds Us)
This incident highlights several critical weaknesses that every organization — regardless of size — should consider. Chief among them: access control. Who has access to what, and why? Too often, user accounts go unaudited or remain active long after employees leave.
Then there’s the issue of dormant data. Old, forgotten databases that are never cleaned up become treasure troves for attackers. And finally, late detection remains a major problem — breaches often go unnoticed for weeks or months.
If a company with Canadian Tire’s IT infrastructure can fall victim to such an attack, what does that mean for a small business with no in-house IT team or limited tech capacity?
Three Critical Questions to Ask Right Now
- Do we truly understand the current state of our IT security?
- Do we have a 24-hour action plan ready if a breach happens?
- Are our employees trained to spot phishing and social engineering attempts?
All too often, security gaps are only discovered after an incident — when the damage is already done.
Practical Actions You Can Take Today
Rather than wait for disaster to strike, it’s better to prepare. Here are essential measures SMEs should implement now:
Enable multi-factor authentication (MFA) on all critical accounts. Review user access regularly, deactivate unused accounts, and apply the principle of least privilege. Segment your networks to contain potential intrusions. Back up your data regularly — and test your backups. Most importantly, train your employees continuously on cybersecurity best practices.
Cybersecurity is no longer a luxury — it’s a cornerstone of modern business resilience.
A Warning for All Businesses, Big and Small
The Canadian Tire breach is a stark reminder: data security is never guaranteed. No business is too big — or too small — to be a target. Quebec SMEs must leave passivity behind and adopt a proactive, defense-ready mindset.
If this article resonated with your current challenges, Mon Technicien can help you gain clarity. Our team already supports many Quebec-based SMEs in strengthening their IT security posture.
in your taskbar.