Canada’s gun owners have no reason to trust the federal government, and whatever misplaced faith remains took a huge hit when details of a cybersecurity breach at the Canadian Firearms Program became public.
The Canadian Firearms Program (CFP) is the statutory program operated by the Royal Canadian Mounted Police (RCMP) to oversee firearms licenses and registration in Canada, with the aim of “enhanc[ing] public safety.” This responsibility over licensing and registration means the RCMP obtains and manages sensitive personal information that every licensed gun owner and gun business in Canada is compelled to provide to the government.
Five years ago, Canadian firearm rights news site TheGunBlog.ca reported that information in the CFP was jeopardized due to a “possible ransomware attack incident on a private company” providing services in connection with the CFP. At the time, TheGunBlog.ca notes, the CFP website posted a warning about the attack as well as a statement advising that the “CFP will communicate any pertinent updates as they become available.” That statement was deleted a few days later and the reference to the cyberattack itself was deleted in June 2021.
The Investigative Journalism Foundation (IJF) (“an independent, non-profit newsroom” that “covers the intersection of money and power in public life”) has now published further information in relation to the incident. The article, Hack linked to gun licensing program was biggest federal data breach in last 5 years: documents, reveals that not only did the RCMP fail to warn affected gun owners about the attack more generally, it delayed reporting the incident to the Office of the Privacy Commissioner until September 2021, months after the RCMP itself first learned of it.
The Office of the Privacy Commissioner (OPC) is responsible for enforcing federal laws on how federal government institutions must handle personal information. According to the IJF, OPC documents indicate the breach was caused by “cyber incident malware” that resulted in “unauthorized access.” The OPC initially and inexplicably “redacted the number of individuals affected” by the breach but has since provided a preliminary estimate of 2.2 million people (or 7.1 per cent of the Canadian population at the time). This makes the CFP incident the largest data breach reported by a federal government institution to the OPC in the last five years.
The RCMP’s response to the hack, as described by the IJF, was to have its “teams conduct[] a three-month internal assessment” and implement measures “to notify Canadian Firearms Program clients of the situation.” Although “there was no indication that any personal information was viewed or extracted,” the RCMP advised “it is not possible to confirm that it was not accessed” (emphasis added). Muddying matters even more, the IJF states that both the Privacy Commissioner and the RCMP “declined to reveal to the IJF the third-party company that experienced the breach, although the RCMP noted it ‘still uses this third party’s services.’”
The Canadian Shooting Sports Association (CSSA) responded to the news of the “massive data breach” by calling it a “catastrophic failure of basic data stewardship.” While the-then “Public Safety Minister Bill Blair hid the data breach from licensed gun owners … organized criminals had a target-rich list to choose which guns they would steal and from whom.” Blair, whose career included acting as the police chief of Canada’s largest city, had to have known the public safety risk that access to this kind of confidential information represents yet, as the CSSA states, he opted “to protect his career instead of doing his job: protecting the lives and property of 2.2 million licensed Canadian gun owners” by issuing “a valid and urgent public warning.”
The data breach and the government’s lackadaisical response prompted the CSSA to call for accountability and corrective measures going forward: “Parliament must demand independent oversight, mandatory data breach notification, and consequences for officials who choose silence over public safety.” If enhanced public safety is truly the goal of the CFP, then keeping citizens’ sensitive personal information out of harm’s way is the least to ask.
The Canadian incident is just the latest in a string of government data breaches in which improperly exposed sensitive personal information placed law-abiding gun owners at risk of home invasions, burglaries, identity theft, or worse.
In a now notorious example in 2022, California residents were “horrified” to learn that an update to the state’s new “Firearms Dashboard Portal” had made available to the public the personal information of thousands of individuals who had applied for a concealed carry permit between 2011 and 2021. The state’s Department of Justice admitted that the compromised information included names, date of birth, gender, race, driver’s license number, addresses, and criminal history, and that the breach may have been much more extensive, with personally identifiable information potentially exposed from the “Assault Weapon Registry, Dealer Record of Sale, Firearm Certification System, and Gun Violence Restraining Order dashboards.” Although the Firearms Dashboard Portal was taken down soon after, NRA-ILA reported at the time that “individuals were able to download all of the leaked personal information from the DOJ website – meaning this information is likely now in the public in perpetuity.”
More recent breaches were uncovered in 2025. In Australia, a similar online Firearms Licensing and Registration Portal developed by the Western Australia Police Force was reportedly “paused” after it was discovered that the portal leaked the addresses of gun owners’ safe storage locations. Iranian-linked hackers reportedly succeeded in getting access to Israel’s databases containing sensitive gun owner data and uploaded the information to different online digital archives.
These far from uncommon incidents are one reason why the NRA continues to advocate for greater protections for the privacy of gun owners. As part of that mission, last week the NRA filed an amicus brief jointly with the Second Amendment Foundation in the case of Hall v. Sig Sauer, urging a Pennsylvania federal court to reconsider an order requiring Sig Sauer to disclose its customers’ names and contact information without their consent.
As the brief explains, privacy in firearms ownership has necessarily “been a fundamental component of the Second Amendment right” given that the Second Amendment “exists as a last-resort check” or “‘doomsday provision’ for the People to protect themselves from a tyrannical government.” Not only does our historical tradition support the idea that Americans have a reasonable expectation of privacy in their status as gun owners, but many modern federal and state laws respect this privacy interest as well.
It goes without saying that many in government do not support the right of individuals to keep and bear arms. And while it is easy enough to believe that mere incompetence explains the pattern of data “leaks” we’ve seen, it is not possible to rule out malicious action, if only on the part of individuals with access to the data. It is notable that even with the advent of electronic recordkeeping, private federal firearm licensees, who have a direct economic incentive to avoid leaks, have seemingly done a better job as stewards of information privacy than their government counterparts. Whatever may ultimately explain this repeated and now virtually expected phenomenon of leak after leak, it is all the more reason for law-abiding gun owners to oppose firearm registration, firearm licensing, and other measures that compel disclosure of sensitive personal information to the government as a precondition to exercising fundamental rights.
More Like This From Around The NRA
