I'll just respond to your question, which, if I understood it correctly, was about email addresses. You don't need to hack a database to get your email address. You can get it off the Internet.
There are really three questions that are germane to this committee's work. One, when does CSE notify your IT department, and what do they do as a consequence of that notification? Two, when do notifications go to members themselves, under what circumstances and who is indeed the lead? Is it CSIS? Is it CSE? Is it your IT department? That's what landed us in this discussion today. Three, what do you do as an individual member of Parliament when you leave here and pick up your personal device, because while your day job might stop for the day, threat actors are still looking at you as a person?