Recently leaked documents reveal that the breach of an internal computer network at Rideau Hall was described to senior government officials as a “sophisticated cyber incident” in the days before the security breach was announced to the public.
Internal government emails, obtained by The Canadian Press through the Access to Information Act, also say officials were unable to confirm the full extent of the information they had. access.
As a result, the Office of the Secretary to the Governor General sought to make credit monitoring services available to employees due to concerns that sensitive personal information may have been stolen.
All managers were encouraged “to reflect on the information holdings they manage in their respective units” and to raise any concerns they might have, says a draft message from November 17, 2021 that was to be shared with employees of Rideau Hall.
In a Dec. 2 press release, the Office of the Secretary to the Governor General said there was “unauthorized access to its internal network” and that it was working on the investigation with the Canadian Center for Cyber Security — a wing of the Communications Security Centre, Canada’s electronic spy service.
It mentioned efforts to improve computer networks as well as consultations with the office of the federal privacy commissioner.
Ciara Trudeau, a spokeswoman for the secretary’s office, said she has communicated with Rideau Hall employees and “external partners who may have been impacted by the incident.”
However, she declined to provide a general update on the breach, the type of information accessed, or other details on how and why it happened.
Trudeau would also not discuss providing secure credit monitoring services to employees.
Internal emails indicate that several senior Privy Council Office officials were made aware of the breach two weeks before the event was made public.
Spokespersons for that office declined to comment on the incident.
Communications Security Establishment spokesman Evan Koronewski said CSE and its Cyber Center could not discuss the specific details of the breach.
“What I can tell you is that we continue to work diligently with (the Office of the Secretary to the Governor General) to ensure that they have robust systems and tools in place to monitor, detect and investigate any potential new threat,” he said.
CSE provides cyber defense services to the Office of the Secretary in coordination with partners at Shared Services Canada, he added.
Hacking into databases has become increasingly attractive to cybercriminals, said Chantal Bernier, Canada’s former acting privacy commissioner.
“It’s risk-free, very cheap and very profitable,” she said in an interview. “Unfortunately, there is also a lot of state-sponsored piracy.”
Bernier commended Rideau Hall for promptly alerting CSE, reviewing employee credit monitoring, and contacting the Office of the Privacy Commissioner, even though the Secretary’s office is not subject to the Privacy Act. protection of personal information.
The case underscores the need to expand the commissioner’s mandate at a time when the internet has created a power imbalance between the individuals and organizations who own their personal data, she said.
“It’s so complex now. And we can’t, each of us individually, hold organizations accountable — that’s beyond us,” said Bernier, who now manages privacy and cybersecurity matters at law firm Dentons.
“The scale of the breaches and consequences is such that we need a regulator strong enough to hold all organizations that hold our data accountable.”
This report from The Canadian Press was first published on April 17, 2022.
ctvnews Canada news