Canada’s National Research Council is sending letters to companies who shared sensitive information with it, warning their commercial secrets could be in the hands of hackers after last month’s data breach.

Ottawa start-up TwelveDot Labs said they’re one of the many companies who gave the NRC information and were told this week it may have been compromised.

"We have to put in a lot of our IP, or our engineering/science aspects, to be able to qualify for certain credits and things like that that we get from the government," said TwelveDot owner Faud Khan.

"We give that to them lock, stock and barrel," said Khan.

The Canadian government said a highly sophisticated Chinese state-sponsored hacker is behind the breach, a claim Beijing has denied.

Experts say Canada's cybersecurity efforts lacking

Khan said if that’s the case, a Chinese company could take his research and pirate it before he could get a patent.

Cybersecurity expert Patrick Malcolm said the data could be anywhere by now.

"In this particular case, it's possible that the information is being duplicated and resold to other people and they're all interested in competing globally against Canadian interests," said Malcolm.

Khan said the Canadian government has been too relaxed about cybersecurity, asking companies to get them data in clear text instead of encrypted (or protected), for example.

Experts say Canada spends considerably less per capita on cybersecurity than many allies and it’s not an area they should be looking to save money in.

“I'm trying to use this, if I can, as a wake-up call to businesses to go to our government and say ‘you know there (are) better ways to do this, why aren't we doing it the better way?’" Khan said.

Canada’s chief information officer said last week the NRC’s IT system has been "isolated" to make sure no other departments get breached.

The NRC, which works with private businesses to create technological innovation, said it could take as long as a year to secure their system again.