Newly unsealed documents reveal that the breach of an internal computer network at Rideau Hall late last year was described by senior government officials as a “sophisticated cyber incident” in the days before the security flaw was made public.
Internal government emails, obtained by The Canadian Press through the Access to Information Act, also say that officials “were unable to confirm the full extent of the information that was accessed.”
As a result, the Office of the Secretary to the Governor General sought to make credit monitoring services available to employees due to concerns that sensitive personal information might have been stolen.
All managers were encouraged to “reflect on the information holdings they manage in their respective units” and raise any concerns they might have, says a draft of a Nov. 17, 2021, message that would be shared with Rideau Hall employees. .
Senior officials gave notice two weeks before public disclosure
In a Dec. 2 press release, the Governor General’s Office of the Secretary said there had been “unauthorized access to its internal network” and that it was working on the investigation with the Canadian Center for Cyber Security, a wing of the Department. of Communications. Security Establishment, Canada’s electronic espionage service.
He mentioned efforts to improve computer networks, as well as consulting with the federal privacy commissioner’s office.
Ciara Trudeau, a spokeswoman for the Clerk’s Office, said she has reached out to Rideau Hall employees and “outside partners who may have been affected by the incident.”
However, he declined to provide a general update on the breach, the type of information that was accessed, or other details about how and why it happened.
Trudeau also did not discuss the provision of secure credit monitoring services to employees.
Internal emails indicate that several senior officials in the Privy Council Office were made aware of the breach two weeks before the event was made public.
Spokesmen for that office declined to comment on the incident.
Cyber attacks can be ‘very cheap and very profitable’: privacy expert
Communications Security Establishment spokesman Evan Koronnewski said the CSE and its cyber center could not discuss the specifics of the breach.
“What I can tell you is that we continue to work diligently with [the Office of the Secretary to the Governor General] to ensure they have robust systems and tools in place to monitor, detect and investigate any potential new threats,” he said.
The CSE is providing cyber defense services to the Office of the Secretary in coordination with partners from Shared Services Canada, it added.
Hacking into data banks has become increasingly attractive to cybercriminals, said Chantal Bernier, Canada’s former acting privacy commissioner.
“It’s risk-free, very cheap and very profitable,” he said in an interview. “Sadly, there is also a lot of state-backed hacking.”
Bernier praised Rideau Hall for promptly alerting the CSE, observing employee credit monitoring, and contacting the Privacy Commissioner’s Office even though the Clerk’s Office is not subject to the Privacy Act.
The case underscores the need to expand the commissioner’s mandate in an era when the internet has created an imbalance of power between the people and organizations that hold their personal data, he said.
“It’s so complex now. And we can’t, each of us individually, hold organizations accountable, it’s beyond us,” said Bernier, who now handles privacy and cybersecurity cases at the Dentons law firm.
“The magnitude of the breaches and the consequences are such that we need to have a regulator that is strong enough to hold accountable all the organizations that hold our data accountable.”