The Ontario Public Service Employees Union / Syndicat des employés de la fonction publique de l’Ontario (OPSEU/SEFPO) takes the protection of personal information entrusted to us very seriously. As you may know, OPSEU/SEFPO was the target of a cybersecurity incident. This notice aims to provide information on this incident, measures taken in response by OPSEU/SEFPO, and to advise impacted individuals of the steps available to them to protect their personal information.
What Happened?
On April 2, 2025, we discovered that an unauthorized third party had gained access to our IT systems. Upon discovering the incident, we immediately implemented countermeasures to prevent any further unauthorized access or activity. We also engaged third-party cybersecurity experts to assist with containment and remediation efforts, as well as to conduct a thorough investigation into the cause and scope of the incident. The incident was promptly disclosed to law enforcement authorities.
The investigation conducted by our experts confirmed that data was impacted as a result of this incident. Following this discovery, we promptly began a detailed assessment to determine precisely which information may have been compromised. It is following this analysis that we are providing this notice.
What Personal Information Is Involved?
OPSEU/SEFPO has undertaken an extensive review to determine what data, and which individuals’ personal information may have been compromised, and the types of personal information involved. Due to the extensive damage caused by the incident, which rendered some files unreadable and required significant restoration efforts, along with the complex unstructured files involved, the review has taken several months to complete. Following our review, we were able to identify that current and former OPSEU/SEFPO members and employees had personal information compromised by the incident.
All individuals for whom we had contact information on file will receive a personalized notice by postal letter or email detailing the nature of their personal information that was exposed. Please note that email notices will come from: OPSEU/SEFPO <noreply@cyberrecovery.opseu.org>.
An online lookup tool is also available at cyberrecovery.opseu.org, which individuals can use to determine whether or not their information was affected by the incident and, if so, to provide an email address to which a personalized notice will be sent.
What Have We Done Following The Incident?
Following the incident’s discovery, we immediately engaged third-party cybersecurity experts to contain the incident and investigate the circumstances and impacts surrounding it. The incident has been contained, and we have implemented additional parameters, in addition to our existing security measures, to prevent such an event from happening again. While cybersecurity incidents are unfortunately increasingly common, OPSEU/SEFPO is committed to safeguarding the personal information entrusted to us.
To guard against any potential misuse of personal information, we have offered impacted individuals a 12-month subscription to credit monitoring and identity protection services through TransUnion. Detailed instructions explaining how to activate this service are provided to impacted individuals through the personalized notice.
Please remain vigilant – We encourage everyone to remain vigilant against regarding ongoing threats of identity theft or fraud by engaging in the following best practices:
- Be cautious when sharing your personal information with third parties, whether by phone, email, or on a website. Never respond to unsolicited requests for your personal information.
- Monitor your bank accounts. If you have any doubts or identify transactions that appear fraudulent or suspicious on your credit or debit card, we recommend contacting your financial institution.
- Avoid clicking on links or downloading attachments found in suspicious emails.
- If you receive communications that appear to come from OPSEU/SEFPO, asking for financial information or other personal information and you were not expecting these communications, please consider these communications as fraudulent until you can verify otherwise.
The following website offers additional tips and resources to help you protect your identity: https://www.priv.gc.ca/en/privacy-topics/identities/identity-theft/guide_idt
OPSEU/SEFPO sincerely thanks its members and employees for their understanding during this difficult incident.