Cyberbreach at Rideau Hall was 'sophisticated' intrusion, internal documents reveal

Internal government emails obtained by CP say officials were "unable to confirm the full extent of the information that was accessed" in a cyberbreach late last year.

Canada's cybersecurity agency is working with Rideau Hall to investigate breach

Rideau Hall, the official residence of Canada's governor general. Internal government emails obtained by CP say officials were 'unable to confirm the full extent of the information that was accessed' in a cyberbreach late last year. (Andrew Lee/CBC)

Newly disclosed documents reveal the breach of an internal computer network at Rideau Hall late last year was described to senior government officials as a "sophisticated cyber incident" in the days before the public was told of the security lapse.

Internal government emails, obtained by The Canadian Press through the Access to Information Act, also say officials were "unable to confirm the full extent of the information that was accessed."

As a result, the Office of the Secretary to the Governor General was looking to make credit monitoring services available to employees due to concerns that sensitive personal information might have been pilfered.

All managers were encouraged "to reflect on the information holdings they manage in their respective units" and raise any concerns they might have, says a Nov. 17, 2021, draft of a message that was to be shared with Rideau Hall employees.

Senior officials advised two weeks before public disclosure

In a Dec. 2 news release, the Office of the Secretary to the Governor General said there was "an unauthorized access to its internal network" and that it was working on the investigation with the Canadian Centre for Cyber Security — a wing of the Communications Security Establishment, Canada's electronic spy service.

It mentioned efforts to improve computer networks as well as consultation with the federal privacy commissioner's office.

Tell us what you think!

Help shape the future of CBC article pages by taking a quick survey.

Ciara Trudeau, a spokesperson for the Office of the Secretary, said it communicated with Rideau Hall employees and "external partners who may have been affected by the incident."

Gov. Gen. Mary Simon visits Queen's Park in Toronto on March 31. (Evan Mitsui/CBC)

However, she declined to provide a general update on the breach, the sort of information accessed, or other details about how and why it took place.

Trudeau also would not discuss the provision of secure credit monitoring services to employees.

The internal emails indicate several senior Privy Council Office officials were advised of the breach two weeks before the event was made public.

Spokespeople for that office declined to comment on the incident.

Cyberattacks can be 'very cheap and highly profitable': privacy expert

Communications Security Establishment spokesperson Evan Koronewski said the CSE and its cyber centre could not discuss specific details of the breach.

"What I can tell you is we continue to work diligently with [the Office of the Secretary to the Governor General] to ensure they have robust systems and tools in place to monitor, detect and investigate any potential new threats," he said.

The CSE is providing cyberdefensive services to the Office of the Secretary in co-ordination with partners at Shared Services Canada, he added.

Hacking into databanks has become increasingly attractive to cybercriminals, said Chantal Bernier, a former interim privacy commissioner of Canada.

"It is risk-free, very cheap and highly profitable," she said in an interview. "Sadly, there is also a lot of state-backed hacking."

Bernier lauded Rideau Hall for swiftly alerting the CSE, looking at credit monitoring for employees, and contacting the privacy commissioner's office even though the Office of the Secretary is not subject to the Privacy Act.

The case underscores the need to broaden the mandate of the commissioner in an era when the internet has created an imbalance of power between individuals and the organizations that possess their personal data, she said.

"It's now so complex. And we cannot, each of us individually, hold the organizations accountable — it's beyond us," said Bernier, who now handles privacy and cybersecurity cases at law firm Dentons.

"The magnitude of breaches and consequences is such that we need to have a regulator that is strong enough to hold all organizations that hold our data accountable."