The breach they won't *pay* for.

On April 27, Public Safety Canada tabled the federal government's response to written question Q-944 from Conservative MP Frank Caputo. The response covers a 2021 ransomware attack on a private contractor that held the personal data of roughly 2.2 million licensed Canadian firearm owners. It is, on the documentation, the largest federal data breach reported to the Office of the Privacy Commissioner in the past five years.

The federal answer to Caputo's question is short. No compensation has been paid to the affected owners. Public Services and Procurement Canada conducted an audit in 2021, but the RCMP says it has not been made aware of the results. The vendor that held the data, Gilmore, has continued to receive federal contracts tied to the firearms program in 2022, 2023, and 2025. The main printing and distribution contract, originally signed in September 2019 for $9,011,750.01, was extended past its March 31, 2026 expiry to June 30, 2026.

That is the entire policy posture, five years on. The licensed Canadian firearms community is asked to trust a federal program that lost its data, won't say what its own audit found, has paid nothing in restitution, and is still doing business with the same vendor.

What was actually lost

The attack itself is now well documented, mostly thanks to reporting by the Investigative Journalism Foundation in early 2026 that pried loose the actual scale. The RCMP was first notified of the ransomware incident on March 17, 2021. The breach hit Gilmore, the private vendor handling printing, warehousing, inventory management, and distribution for the Canadian Firearms Program. The data exposed was licence information for an estimated 2.2 million PAL and RPAL holders.

At the time, the RCMP posted a brief notice on its anti-firearms program page calling it a "possible ransomware attack" affecting a private company that served multiple federal departments. The notice was deleted in June 2021. The 2.2 million figure was not part of any public communication from the RCMP. It became public years later, through documents obtained by the IJF under access-to-information.

The IJF reporting also notes that, while the RCMP has consistently said there is "no indication" any personal information was viewed or extracted, it could not confirm that it was not accessed. That is the honest answer: nobody knows what the attackers got. What is known is that the federal program responsible for the most heavily vetted demographic in the country could not, in 2021, vouch for the integrity of the licence data it had collected from them.

How the government answered five years later

The April 27 response to Q-944 is the first time the government has been put on record about consequences and remedy. It is not a long document. The substantive sentences land in three places.

On compensation, the RCMP's response is exact: "The Royal Canadian Mounted Police is unaware of any action that has been taken to compensate those whose data was breached." That is not a denial that compensation might have been paid. It is a statement that the federal police force responsible for the program does not know.

On accountability for the vendor, the response confirms that PSPC conducted an audit in 2021. The RCMP adds that it has not been made aware of the results. Five years after the largest federal breach in five years, the police agency that runs the affected program does not have access to the procurement department's findings about the vendor that lost its data.

On the contractor relationship, the response confirms Gilmore has continued to receive federal work tied to the firearms program after the breach: contracts in 2022, 2023, and 2025 ranging from equipment purchases to publishing and printed-matter services. The main contract, $9,011,750.01 for the printing-and-distribution function the breach itself involved, was originally set to expire on March 31, 2026, the deadline the buyback program was racing against. It has been extended to June 30, 2026.

Acknowledge the strongest version of the other argument

A reasonable defender of the federal posture would say a few honest things.

Cyber incidents happen. Federal departments contract with private vendors to handle bulk printing and distribution because building those functions in-house is expensive and slow. Vendors get attacked. The federal government cannot indemnify every Canadian against every third-party breach without breaking the model that lets it deliver services at all. The 2021 incident was reported. Notices went up. The RCMP says, and continues to say, that there is no evidence of actual exfiltration. Switching vendors mid-contract, on a function as critical as printing licence renewals during a buyback program, would have been operationally reckless.

That argument is not made up. It is a defensible read of the operational constraints. It is also incomplete in a specific way that matters.

The Canadian Firearms Program does not collect data from a general population. It collects data from a population the federal government has specifically chosen to track, screen, and continuously vet, on the legal premise that the data collection is the price of holding a licence. Licensed owners cannot opt out. They cannot decline the vendor relationship. They cannot ask for their information to be held in a way that does not flow through Gilmore. The trust in the data steward is conscripted. When that trust is broken, the response that this is a normal cybersecurity incident and the program will continue with the same vendor is a policy decision, not an inevitability.

What "no compensation" actually means

For a private-sector breach affecting two million Canadians, the standard response in 2026 is well established. The breached entity offers credit monitoring, identity-theft insurance, and a remediation contact. Class actions follow. Regulators investigate, fines land, executives lose jobs, vendor relationships end. None of that is generous; it is the floor.

For the 2021 firearms-program breach, the floor has not been touched. The federal answer is that no compensation has been paid, no audit results have been shared with the program owner, and no contracting consequences have followed. The PAL holders whose information was exposed have received exactly what the RCMP web notice gave them between March and June 2021, and nothing after.

The practical effect for an individual licensed owner is small in any given week. The data exposed was licence information, not credit-card numbers. Most affected people will go their whole lives without being able to attribute any specific harm to this incident. That is the honest read, and it is part of why the file has not generated more political pressure.

The slower effect, the one worth naming, is what a five-year non-response signals to the next file. Every additional dataset the federal program collects from the licensed community now sits in a context where the precedent is: if it is lost, the response will be a brief web notice, an audit nobody is told about, and a quiet contract extension. That is not a hypothetical. That is the documented federal posture as of April 27, 2026.

The pro-ownership read

Holdover's stated position is that licensed Canadian firearms ownership is a serious adult activity, undertaken by the most heavily vetted demographic in the country, and entitled to be treated by its regulators with the same standard of care the regulators expect from licence holders.

The 2021 breach is a clean test of how that contract is being honoured. PAL and RPAL holders submit to federal screening, continuous eligibility, transport and storage rules, classification compliance, and an obligation to keep their licence data accurate and current. That obligation flows one way. The data, once collected, is the program's responsibility. When it is lost, the program is responsible for naming the loss, fixing the cause, and making the affected population materially whole.

None of those three has happened in this file. The loss was named only after journalists pulled the figure out of an access-to-information request. The cause has not been disclosed even to the police agency that runs the program. The affected population has been told, in the official record on April 27, that no remedy has been considered. The same vendor still has the work.

A pro-ownership read of that record is not a complaint. It is an observation about whether the licensed community is being treated as a constituency the program serves, or as a population the program processes. The April 27 response is one data point. It is consistent with the broader pattern of the last six years of Canadian firearms policy, in which the regulated side of the file has carried the cost of poor public-safety decision-making while the rest of the file goes unaddressed.

What to do with this

Three concrete steps for any licensed Canadian who wants this to land somewhere.

First, read Q-944 yourself. It is on the House of Commons written-questions portal at ourcommons.ca under the 45-1 session. It takes about ten minutes. The federal government's actual words are short and worth reading in their original form before deciding what you think of them.

Second, write your MP. Not a form letter. A short, dated, factual note that mentions the Q-944 response, asks specifically what your MP plans to do about a federal program that lost the data of 2.2 million constituents and paid no compensation, and asks whether your MP supports an independent audit of the Gilmore contract. Two hundred words is enough. MPs read constituent mail that names a specific document and asks a specific question. They do not read mass form mail.

Third, talk to your provincial firearms commissioner if you have one. Saskatchewan and Alberta both maintain firearms-policy offices that engage federally on behalf of licensed owners. If your province has one, this file is exactly the kind of thing a provincial commissioner can press on, both publicly and through intergovernmental channels. The federal program's posture is not the only level at which this can be challenged.

Where this leaves us

The buyback file will keep generating headlines. The Supreme Court will hear the OIC challenges. October 30 will arrive. None of those things will return the licence data of 2.2 million Canadians, or change a federal posture that has decided, on the record, that the appropriate response to losing that data is to extend the contract. The April 27 answer to Q-944 is not the end of this file. It is the first time a federal department has been put on the record about it. That on-the-record answer, in the publication's quiet view, is the most candid expression yet of what the licensed community is currently worth to its regulator. The work, on this file and on the rest of them, is to make it cost more.

Sources · editorial note

• House of Commons, Written Question Q-944, 45-1 (ourcommons.ca/written-questions/45-1/Q-944)
• Public Safety Canada response to Q-944, tabled April 27, 2026
• Investigative Journalism Foundation, "Hack linked to gun licensing program was biggest federal data breach in last 5 years," February 2026 (theijf.org/article/rcmp-firearms-program-hack)
• TheGunBlog.ca, "RCMP Hid Scale of 2021 Hack Affecting All PAL Holders, IJF Reports," February 10, 2026
• TheGunBlog.ca, "Canada Gun Rights News: Week of 2026 April 27," April 28, 2026
• Rebel News, "RCMP says no compensation after firearm owners' data breach affecting 2.2 million people," Sheila Gunn Reid, April 28, 2026
• Canadian Shooting Sports Association, "RCMP Incompetence Put 2.2 Million Canadians in Harm's Way. The Liberal Government Hid It." (CSSA-CILA)
• Western Standard, "Firearms data breach exposed 2.2 million Canadian gun owners, no full investigation launched"
• RCMP web notice on the Gilmore ransomware incident, posted between March and June 2021 (subsequently deleted)
• This piece is labelled Advocacy · Commentary. It is one publication's evidence-led read of the federal record on the 2021 firearms-program breach. Responses, corrections, and source documents we have missed, welcome at The Dispatch.