Rideau Hall cyber incident found to be a ‘sophisticated cyber incident’ according to internal emails

  • Last updated November 2, 2023
  • written by

A new revelation came to light about the security breach at Rideau Hall last year. Senior government officials were told it was asophisticated cyber incident just a few days before announcing it to the public.

The Canadian Press got its hands on the internal government emails through the Access of Information Act. According to the officials, “[they] were unable to confirm the full extent of the accessed information.”

Because of this very reason, the Office of the Secretary to the Governor-General has been looking into making credit monitoring services accessible to employees as the employees were highly concerned that certain confidential information may have been stolen.

According to a draft of Nov 17, 2021, which was shared with the Rideau Hall employees, all managers were encouraged “to reflect on the information holdings they manage in their respective units” and have their concerns addressed if they have any.

Apparently, the said announcement was supposedly made to senior officials nearly two weeks before the news of the leak was disclosed to the public.

Based on the Dec 2 news release, the Office of the Secretary to the Governor-General said there was “unauthorized access to its internal network”. The breach was also under investigation by the Canadian Centre for Cyber Security. They reported there’ll be efforts to improve the computer network security, including consultations with the federal privacy commissioner’s office.

Ciara Trudeau, a spokeswoman for the Office of the Secretary, said the news about the breach was communicated to the Rideau Hall employees as well as “external partners who may have been affected by the incident.”

However, she was not forthcoming about the details related to the breach, such as how and why the breach took place or much less what sort of information was accessed. She also refused to comment about acquiring credit monitoring services for employees.

Based on the content of the internal emails checking which The Canadian Press got, it has been indicated that many senior Privy Council Office officials knew about the breach two weeks before the public got to know about it. The spokesperson for the Privy Council Office refused to comment on the incident.

Evan Koronewski, a spokesman from Communications Security Establishment, said that the CSE and the cyber center were not at liberty to discuss the particular details of the breach. Although he did say, “What I can tell you is we continue to work diligently with (the Office of the Secretary to the Governor-General) to ensure they have robust systems and tools in place to monitor, detect and investigate any potential new threats,”

He further added that the CSE would be actively providing cyber defensive services to the Office of the Secretary along with Shared Services Canada as partners.

Chantal Bernier, the former interim privacy commissioner of Canada, shared her observations that cybercriminals have found hacking into databanks extremely enticing. “It is risk-free, very cheap, and highly profitable,” she mentioned. “Sadly, there is also a lot of state-backed hacking.”

Bernier appreciated how Rideau Hall handled the whole situation. She believed they made the right call by promptly letting the CSE know about the breach, looking for ways to safeguard employees, and even contacting the privacy commissioner’s office despite the fact the Office of the Secretary is not responsible for the Privacy Act.

According to her, she believes that this breach underlines how the commissioner should get to have more rights to smoothen out the imbalance of power between organizations that harbor the personal information of individuals and the individuals themselves. Also, check the difference between Proactive and reactive Cybersecurity.

She also said, “It’s now so complex. And we cannot, each of us individually, hold the organizations accountable — it’s beyond us.”

Currently, Bernier is handling the privacy and cybersecurity case at a law fire Dentos and states, “The magnitude of breaches and consequences is such that we need to have a regulator that is strong enough to hold all organizations that hold our data accountable.”

Leave a Reply

Your email address will not be published. Required fields are marked *