Apr 9, 2026

When the model works and the results don't

Data Series
| Part
4

Reading time:

4 min read

38 million customer accounts breached through a supporting e-commerce database nobody thought to protect. Security as concentric rings, not perimeter walls.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

38 million customer accounts. That’s the scope of the Canadian Tire e-commerce database breach disclosed in October 2025 (CBC News, October 2025). Names, addresses, emails, dates of birth, encrypted passwords. Not from the banking system. Not from the loyalty programme. From a supporting e-commerce database that served Canadian Tire, SportChek, Mark’s, and Party City.

The banking data was fine. The Triangle Rewards data was fine. The system nobody thought to protect with the same rigour as the crown jewels turned out to be the one with 38 million records in it. Technical analysis suggests a configuration error or an unpatched vulnerability, not a sophisticated attack (OffSeq Threat Radar, February 2026).

A firewall around the perimeter. Nothing around the data.

The threat isn’t always the one wearing a hoodie

Your data lives everywhere. Cloud platforms, local files, SaaS applications, test environments, remote endpoints, and the legacy server in the closet that survived 3 office moves and an Edmonton winter. In Canada, federal and provincial rules around privacy, access, residency, and incident reporting cross jurisdictions and change regularly.

And it’s not always hackers. Misconfigurations. Copy-paste jobs between environments. Former employees whose access persisted months past their last day. Well-meaning vendors with broader permissions than the contract intended. These cause as many incidents as external threats. Nobody writes a dramatic headline about a misconfiguration, but the damage is the same.

Security as rings, not walls

Perimeter defence made sense when the perimeter was a place. Security has to follow the data now, not surround the building. Think concentric rings, each one protecting the layer inside it.

Ring 1: identity at the centre

No identity, no security. Everything else is decoration. Microsoft Entra ID provides role-based access and context-aware controls that reduce the attack surface before a threat arrives. Who is this person? What device? Is this request consistent with their normal behaviour? Identity is the smallest ring and the most consequential. Get it wrong and every other ring is a suggestion.

Ring 2: protect the data itself

The perimeter is gone. The data is what’s left to protect. Encryption at rest and in transit: Protegrity for fine-grained, field-level protection across platforms, Azure Key Vault and database-native capabilities for encryption management. Data masking in test environments, sensitive-data tagging through the catalogue, automated risk flags. When the data moves, the protections move with it. When someone copies production to dev (and someone will), the masking is already applied.

Ring 3: monitor everything, automatically

You can’t protect what you can’t see, and you can’t see what you’re not watching. Microsoft Sentinel and Defender deliver continuous, real-time visibility and anomaly detection. When Gary’s phone buzzes at 2 a.m., the difference between a 10-minute resolution and a 10-week investigation is whether context was attached to the alert. An alert without context is noise. An alert with lineage, classification, and access history is a decision.

Ring 4: resilience, because containment beats prevention

Assume breaches happen. Build for containment and recovery. Incident response built around Azure Arc and Rubrik immutability features lets you isolate damage, recover data, and move forward while protecting client trust. Resilience isn’t a backup strategy. It’s the difference between a Tuesday morning incident and a Tuesday morning crisis.

Security is what lets AI ship

Security sits underneath every AI, cloud, and analytics initiative that actually makes it to production. The strongest version of it isn’t patched after the fact. It’s built into the data architecture from day one.

Where this leads

Security enforces the rules. Governance decides them. Nobody gets promoted for governance work covers the framework that gives security its mandate.

Security protects data. Privacy decides what counts as protected. Your policy says one thing, your environment says another covers the controls that tell security what to defend.

And if your data and AI workloads need to stay under Canadian law, that’s the Data Sovereignty service.

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA