New documents reveal the extent of a cyber attack on Rideau Hall. Officials had described it as a “sophisticated internet incident” days before it was released to the public.
Internal government emails, obtained by The Canadian Press through the Access to Information Act, say officials were “unable to confirm the full extent of the information that was accessed.”
As a result, the Office of the Secretary to the Governor General wanted to offer credit monitoring services to employees concerned that personal information had been stolen.
All managers were encouraged “to reflect on the information managed by their respective unit” and to raise their concerns, according to the draft of a text written on November 17, 2021 which was to be sent to employees.
In the press release published on December 2, the Office of the Secretary to the Governor General disclosed that there had been unauthorized access to its internal network. He added that he was working with the Canadian Center for Cyber Security “as part of the ongoing investigation” to determine the nature and scope of this intrusion.
The Office also mentioned that it was working with experts and taking other steps to strengthen its network as needed. The Office of the Privacy Commissioner has also been notified of this unauthorized access.
Ciara Trudeau, a spokeswoman for the Office of the Secretary, says Rideau Hall employees and external partners have been made aware.
However, she declined to specify the exact extent of this attack, including the nature of the information to which the hackers had access, the method used or the reasons.
Ms. Trudeau also did not want to discuss the audit services offered to employees.
Internal emails indicate that several Privy Council Office officials were alerted to the cyberattack, two weeks before it was made public.
Spokespersons for that office declined to comment.
A Communications Security Establishment (CSE) spokesman, Evan Koronewski, says the agency cannot provide details about the cyberattack.
“What I can tell you is that we continue to work diligently with [le Bureau du secrétaire de la gouverneure générale] to make sure their systems are resilient and the tools are in place to monitor, detect and investigate any new threats,” he said.
CSE provides advocacy services to the Office of the Secretary in coordination with Shared Services Canada.
The database is increasingly attracting cybercriminals, says Chantal Bernier, a former acting privacy commissioner of Canada.
“It’s risk-free, very inexpensive and very profitable,” she says. Unfortunately, there are several states behind these hacks. »
Ms. Bernier praised Rideau Hall for promptly alerting CSE, assisting its employees and contacting the Privacy Commissioner, even though the Secretary’s Office did not fall under the Privacy Act.
According to her, this case highlights the need to extend the mandate of the commissioner’s office because of the imbalance created by the Internet between individuals and organizations with personal data.
“It’s so complex. And we cannot individually hold organizations accountable. It’s above our heads, says Ms. Bernier. The magnitude of these computer flaws and their consequences are such that we need control strong enough to hold all organizations holding personal data accountable. »