Security Check-in Quick Hits: Canadian Firearms Data Breach, AMD Driver Vulnerability, and Push for Secure Government Coding

For February 11, 2026

The Hidden Danger - Unveiling the 2021 Canadian Firearms Data Breach

In a shocking revelation that’s sending ripples through Canada’s gun-owning community, details have emerged about a massive data breach in the Canadian Firearms Program (CFP) that occurred back in 2021. This incident, which compromised the personal information of approximately 2.2 million Possession and Acquisition License (PAL) holders, was kept under wraps by the government until recently. The breach involved unauthorized access to sensitive license data, handled by third-party contractor Accenture Inc., which continues to provide services to the Royal Canadian Mounted Police (RCMP) despite the incident.

The breach’s exposure comes at a particularly tense time, coinciding with discussions around public safety and privacy in the wake of tragic events like the recent school shooting in Tumbler Ridge, British Columbia. Gun owners are now questioning the government’s obligations under the Privacy Act and PIPEDA to secure personal data. Posts on X highlight fears of imminent danger to PAL holders, with calls for police protection and lawsuits against Accenture. The Privacy Commissioner of Canada and RCMP have acknowledged the breach as the largest federal data incident in five years, yet transparency remains limited—details on the exact nature of the compromised data or the breach method are scarce.

This event underscores a broader issue in cybersecurity: the risks of outsourcing sensitive data management to third parties without robust oversight. For gun owners, the implications are dire—potential identity theft, targeted harassment, or worse. As one X user pointed out, law-abiding citizens now have less privacy than criminals in some contexts. Moving forward, affected individuals are encouraged to contact the Office of the Privacy Commissioner and monitor their personal information closely. This breach serves as a stark reminder for governments worldwide to prioritize data security and timely disclosure to protect citizens.

Exposed Weaknesses - The AMD uProf Driver Privilege Escalation Vulnerability

A new vulnerability disclosure is raising alarms in the hardware and software security community: CVE-2025-61969, a file write flaw in AMD’s AMDPowerProfiler.sys driver. Discovered by security researcher Bad_Jubies, this bug allows low-privileged users to create files anywhere on a Windows system, potentially leading to privilege escalation through DLL hijacking techniques.

The vulnerability stems from the driver’s handling of IOCTL 0x222008, where user-controlled input is passed directly to ZwCreateFile without proper sanitization. By exploiting a string length miscalculation—validating in characters but copying in bytes—attackers can truncate paths and write files to protected directories like C:\Windows\System32. Combined with the directory’s ACL settings granting full control to file creators, this enables hijacking services like the Windows Print Spooler by planting malicious DLLs (e.g., ualapi.dll).

The proof-of-concept exploit, available on GitHub, demonstrates registering as a client, creating the file, writing malicious code, and restarting the service to achieve elevated privileges. While AMD has likely patched this in recent driver updates, users with older versions remain at risk. This isn’t the first issue in AMD drivers; prior bugs have been noted, highlighting the need for rigorous kernel driver auditing.

For users, the takeaway is clear: Keep drivers updated, monitor for unusual file creations in system directories, and consider tools like IOCTLance for vulnerability hunting. This disclosure emphasizes the ongoing cat-and-mouse game in hardware security, where even major vendors like AMD can leave doors open for exploitation.

Advocating for Change - Canada’s Push for Mandatory Secure Coding in Federal Software

Amid growing concerns over government data handling, a new parliamentary petition in Canada is gaining traction, calling for mandatory secure coding practices in all federal software development. Initiated by cybersecurity advocate Tanya Janca (known on X as @shehackspurple), the petition aims to address systemic vulnerabilities that lead to breaches like the recent firearms data incident.

The petition, available on the House of Commons website (e-7115), argues that incorporating secure coding from the ground up—such as input validation, encryption, and regular audits—could prevent many exploits. Janca, a secure coding trainer and author, has been campaigning for this for years, pointing to the high costs of reactive fixes versus proactive security. With signatures building, it reflects a public demand for better cybersecurity in public sector tech, especially after revelations of hidden breaches and inadequate protections.

This initiative ties into global trends, where supply chain attacks and software flaws are top concerns. For Canadians, signing the petition is a step toward safer government systems. Broader implications? It could set a precedent for other nations, encouraging policies that treat cybersecurity as a core requirement rather than an afterthought. As Janca notes, public safety depends on robust tech—now’s the time to act.