Recent leaked documents reveal that the breach of an internal computer network at Rideau Hall was described to senior government officials as a “cyber incident” in the days before the public was notified of the insecurity. Internal government e-mails received from the Canadian press through the Access to Information Act also state that officials “were unable to confirm the full extent of the information that was accessed.” As a result, the Office of the Secretary-General was trying to make credit monitoring services available to employees due to concerns that sensitive personal information might have been stolen. All managers were encouraged to “reflect on the information they manage in their respective units” and to express any concerns they may have, says a draft message on November 17, 2021, which they were to share with Rideau Hall staff. In a December 2 press release, the Office of the Secretary-General’s Office said there was “unauthorized access to its internal network” and that it was working on the investigation with the Canadian Cyber Security Center – a Communications Foundation security unit. the Canadian cyber espionage service. He cited efforts to improve computer networks as well as consult with the federal privacy commissioner. Ciara Trudeau, a spokeswoman for the secretary’s office, said she had contacted Rideau Hall staff and “outside staff who may have been affected by the incident”. However, it declined to provide a general update on the breach, the type of information it has access to, or other details about how and why it occurred. Trinto also would not discuss providing secure credit tracking services to employees. Internal emails indicate that several Privy Council Office officials were notified of the breach two weeks before the event was made public. Representatives of this office refused to comment on the incident. Evan Koronevski, a spokesman for the Communications Security Foundation, said the CSE and its cyber center could not discuss specific details of the breach. “What I can tell you is that we continue to work diligently with (the Office of the Secretary-General) to ensure that they have strong systems and tools in monitoring, detecting and investigating any new threats,” he said. CSE provides cyber defense services to the Secretary’s Office in coordination with Shared Services Canada partners, he added. Database piracy is becoming increasingly attractive to cybercriminals, said Chantal Bernier, Canada’s former interim privacy commissioner. “It is harmless, very cheap and extremely profitable,” she said in an interview. “Unfortunately, there is also a large number of state-sponsored hacks.” Bernier commended the Rideau Hall for notifying the CSE quickly, monitoring staff credit and communicating with the Office of the Privilege Commissioner, even though the Secretary’s Office is not subject to the Privacy Act. The case underscores the need to extend the Commissioner’s mandate at a time when the Internet has created an imbalance of power between individuals and organizations that hold their personal data, he said. “It’s so complicated now. And we can not, individually, hold the organizations accountable – it’s beyond us,” said Bernier, who now handles privacy and cybersecurity cases at law firm Dentons. “The magnitude of the breaches and the consequences is such that we need to have a regulatory authority that is strong enough to hold all the organizations that hold our data accountable.” This Canadian Press report was first published on April 17, 2022.
