Canada Computers & Electronics, one of Canada's largest technology retailers with over 30 locations across Ontario and beyond, has disclosed a data breach affecting 1,284 customers. The breach exposed payment card information including cardholder names, card numbers, and expiry dates collected during online transactions between November and December 2025.
How the Breach Occurred
The breach was discovered during a routine security audit in January 2026. Investigators found that a web-skimming script had been injected into the checkout page of Canada Computers' e-commerce platform. The malicious code, a technique commonly known as a Magecart-style attack, captured payment card data in real time as customers entered their information during checkout.
The skimming script was active for approximately six weeks before detection, capturing payment details from customers who made purchases through the website during that period. In-store transactions processed through physical point-of-sale terminals were not affected.
Data Compromised
- Cardholder names
- Credit and debit card numbers
- Card expiration dates
- CVV security codes entered during checkout
- Billing addresses associated with the payment cards
Company Response
Canada Computers has taken several actions following the discovery:
- Removed the malicious code and secured the e-commerce platform
- Engaged a PCI-certified forensic investigator to conduct a full assessment
- Notified all 1,284 affected customers via email and registered mail
- Offering 12 months of complimentary credit monitoring through Equifax Canada
- Reported the breach to the Office of the Privacy Commissioner of Canada
- Implemented additional security monitoring including real-time integrity checking of checkout pages
PCI-DSS Compliance Implications
The breach raises questions about Canada Computers' PCI-DSS compliance status. The Payment Card Industry Data Security Standard requires merchants to maintain secure systems and protect cardholder data. Web-skimming attacks specifically target gaps in requirements related to script integrity monitoring and change detection on payment pages.
PCI-DSS v4.0, which became mandatory in March 2025, introduced new requirements (6.4.3 and 11.6.1) specifically addressing client-side script management and change/tamper detection on payment pages. Organizations that have not yet fully implemented these controls remain vulnerable to Magecart-style attacks.
What Affected Customers Should Do
- Monitor credit card and bank statements for unauthorized charges
- Contact your card issuer to request a replacement card
- Enrol in the complimentary credit monitoring offered by Canada Computers
- Be cautious of phishing emails claiming to be from Canada Computers
- Report any suspicious transactions to your financial institution immediately
Retail Cybersecurity Trends
Web-skimming attacks continue to be one of the most prevalent threats facing e-commerce retailers. These attacks are difficult to detect because the malicious code executes in the customer's browser, bypassing traditional server-side security controls. Organizations must implement client-side monitoring and security controls, Content Security Policy headers, and regular integrity verification of their checkout pages to defend against these threats.