Fraudsters Hijack GTA Business to Target $12M Property
Fraudsters hijack GTA business in a scheme that nearly cost one Mississauga man his $12 million commercial property. Hitender Sharma, who owns the land through a holding company, discovered he had been removed as the company’s director — without consent, warning, or explanation. The case is now raising serious concerns about the security flaws in Ontario’s digital business registry.
The goal? To mortgage or sell the land and cash in on its equity, without Sharma’s knowledge or consent.
“It was shocking,” said Sharma. “This will disappear — everything we’ve invested.”
Hijacked with a Few Clicks
Sharma soon confirmed the worst: Someone had quietly changed the director and address of his business in the Ontario Business Registry. And it wasn’t just his company.
Brian King, a private investigator with King International Advisory Group, says Sharma’s case is one of at least five commercial properties in the GTA targeted using similar tactics. In one case, King says, fraudsters succeeded in selling a $5 million Caledon property without the real owner’s knowledge.
“I suspect there are many more,” said King. “We’re poring through records now.”
Sharma’s land remains mortgage-free, but he’s still fighting to regain control of his own company — and keep his business safe.
Ontario’s Business Registry at the Center
The Ontario government launched its digital business registry in 2021. It allows businesses to make changes online 24/7 using a security feature called a company key — a PIN-like code tied to each corporation.
New businesses get a company key when they incorporate. But older businesses, like Sharma’s (incorporated in 2014), must request the key. It’s supposed to be mailed or emailed to the official address on file.
But here’s where the loophole begins.
According to the province, applicants can prove their authority using public and internal info — including the date and author of the last filing, which is publicly available. If someone claims legal affiliation, they can even redirect the company key to a new email address.
“To lawyers I’ve spoken with, it’s laughable how easy it is,” said King.
Who’s Responsible? Nobody Wants to Claim It
Sharma contacted both the Ministry of Public and Business Service Delivery and Dye & Durham, the third-party service provider used to file the changes. Each pointed the finger at the other.
- The ministry says it doesn’t have authority to change corporate filings.
- Dye & Durham reportedly told Sharma it’s up to the ministry to verify identities.
“Someone needs to be the gatekeeper,” Sharma said. “That has to be the ministry.”
The ministry says Sharma can now fix the records using his company key. But he’s unsure if it’s secure — and has asked his lawyer to demand action from Dye & Durham.
Experts Call It a Security Weak Spot
Mike Gropp, a senior cybersecurity adviser with Rogers Cybersecure Catalyst, says this is a classic case of weak verification being exploited.
“It’s like locking your door but putting the key under the mat,” he said.
Gropp recommends the government upgrade the system to:
- Use multi-factor authentication, not security questions
- Send real-time alerts when corporate records change
- Introduce a delay system for critical updates like directorship changes
He says the current system sacrifices security for convenience — and that’s putting businesses at risk.
What’s at Stake
CBC Toronto has previously reported on homeowners losing properties to title fraud. But this case shows how commercial property owners are also vulnerable.
Sharma, who uses the Mississauga lot for his logistics company, is deeply concerned that more business owners could fall victim.
“Unless they make changes, this will be devastating for many families,” he said.
More…
