Cyberbreach in Rideau Hall is a “complex” intrusion, internal documents reveal

Newly revealed documents reveal that the breach of an internal computer network in Rideau Hall was described to senior government officials as a “complex cyber incident” in the days before the public was told about the security breach.

Domestic government emails received from The Canadian Press through the Access to Information Act also said that officials “are unable to confirm the full amount of information that was available.”

As a result, the Office of the Governor-General’s Office sought to provide credit monitoring services to employees due to fears that sensitive personal information might have been stolen.

All managers were encouraged to “consider the information they manage in their respective units” and to express any concerns they may have, according to a draft statement from November 17, 2021, which was to be shared with Rideau employees. Hall.

In a December 2 press release, the governor-general’s office said it had “unauthorized access to its internal network” and was working on an investigation with the Canadian Cybersecurity Center, the communications wing of the Security Establishment, Canada’s electronic spy service.

It mentions efforts to improve computer networks, as well as consultations with the Office of the Federal Commissioner for Privacy.

Ciaro Trudeau, a spokeswoman for the secretary’s office, said she had communicated with Rideau Hall staff and “external partners who may have been affected by the incident.”

However, it declined to provide a general update on the breach, the type of information available or other details on how and why it occurred.

Trudeau will also not discuss providing secure credit monitoring services to employees.

Internal emails indicate that several high-ranking Secret Council officials were notified of the violation two weeks before the event was made public.

Spokesmen declined to comment on the incident.

Communications Security Establishment spokesman Evan Koronevski said CSE and its cybercenter could not discuss specific details of the breach.

“What I can tell you is that we continue to work hard with (the Office of the Governor-General’s Office) to ensure that they have robust systems and tools in place to monitor, detect and investigate any potential new threats.” he said.

CSE provides cybersecurity services to the secretary’s office in coordination with Shared Services Canada partners, he added.

Data bank hacking is becoming increasingly attractive to cybercriminals, said Chantal Bernier, a former temporary privacy commissioner for Canada.

“It’s risk-free, very cheap and very profitable,” she said in an interview. “Unfortunately, there is also a lot of hacking supported by the state.”

Bernie praised Rideau Hall for promptly alerting CSE, monitoring employees’ credit monitoring and contacting the office of the Privacy Commissioner, although the secretary’s office is not subject to the Privacy Act.

The case highlights the need to expand the commissioner’s mandate in an era when the internet has created an imbalance of power between individuals and organizations that have their personal data, she said.

“It’s so complicated now. And we can’t, each of us individually, hold organizations accountable – it’s outside of us,” said Bernie, who is now working on confidentiality and cybersecurity cases at Dentons Law Firm.

“The scale of the breaches and consequences is such that we need to have a regulator strong enough to hold all the organizations that hold our data accountable.”

This report from The Canadian Press was first published on April 17, 2022.