by Canadian authorities are investigating a long-running data security breach after “detecting malicious cyber activity” affecting the internal network used by Global Affairs Canada staff, according to internal department emails seen by CBC News.
The breach affects at least two internal drives, as well as the emails, calendars and contacts of many staff members.
CBC News spoke to multiple sources with knowledge of the situation, including employees who received instructions about how the breach affects their ability to work. Some of them were told to stop working remotely from last Wednesday.
Three internal emails have also been sent to Global Affairs staff at CBC News.
“Forensic work has also progressed to help us understand the scope of the data breach,” one email said. “The work is ongoing, but early results suggest that many users may be affected (Global Affairs Canada).”
Another email said that the internal systems were vulnerable between December 20, 2023 and January 24, 2024. It informed anyone who connected remotely using a SIGNET (Secure Integrated Global Network) laptop that their information could to be vulnerable.
The “compromised” system was the virtual private network (VPN) used by staff to access the Ottawa Global Affairs headquarters. The VPN system was managed by Shared Services Canada, the GAC announcement said.
Shared Services Canada is a federal department created in 2011 to take over email delivery, data center and network services for many government departments and agencies.
Global Affairs Canada confirms breach
In a statement released Tuesday, Global Affairs Canada said an “unplanned IT outage” is affecting remote access to its network. The department said the partial outage was deliberately activated on January 24 to “address the discovery of malicious cyber activity”.
“Early findings indicate that there was a data breach and unauthorized access to personal information of users including employees,” the statement said, adding that the department is investigating the matter and contacting those affected. affect them to ensure that their information is secure.
The statement added that connectivity in GAC buildings is fully functional and that work arrangements have been made available to employees working remotely in Canada.
“The Department’s vital services and external communication channels remain accessible and operational.”
No word yet on the scope of the data breach
According to Global Affairs, SIGNET is the Department’s secure computer network. One part of the network maintains personal information on shared drives, including personal information of employees. Another section contains classified information.
It is unclear whether confidential information was lost in the breach, which lasted more than a month. It is also unclear who was behind the breach.
Email traffic and files on personal and shared drives may be “at risk,” the GAC memo to staff said. GAC also said it is looking into whether “sensitive corporate information”, such as credit card and banking details, may have been breached.
Shared Services Canada and the Canadian Center for Cyber Security — which is part of the Communications Security Foundation, Canada’s cybersecurity organization — are investigating the breach, a GAC email to staff said.
“Forensic work, including with these partners, is ongoing to help us understand the impact on our networks and any possible changes to the scope and time frame of the data breach, ” read GAC’s email to staff.
The Lester B. Pearson Building on Sussex Drive in Ottawa, the headquarters of Global Business Canada. (CBC)
The Privacy Commissioner’s office said Global Affairs Canada notified it of the data breach on January 26.
“We are in constant communication with the Department to gather more information,” a spokesperson said in a media statement. “Following notification of a breach, our office will work with federal institutions to better understand the privacy risks associated with the breach and ensure that the Department takes appropriate actions, including notifying individuals who are affected.”
World Affairs is a ‘natural target’
“A breach of that era has to be serious,” said Wesley Wark, a national security expert at the University of Ottawa.
“Global Business Canada has a lot of classified and sensitive information … It’s a natural target for hacking but it’s also vulnerable and has important data.”
Although sensitive diplomatic cables are sent using an encryption system, a source told CBC News that the affected drives may have contained drafts of sensitive correspondence and some information.
“We know this information may be upsetting to many of you,” said the email sent to staff. “This is an evolving situation and more information and guidance will continue to be shared as quickly as possible.”
The email offers suggestions on how to protect “sensitive information” and encourages employees to monitor financial accounts in case of unauthorized activity.
Meanwhile, some Global Affairs employees based in Canada with security clearance are unable to work from home.
“This is not a permanent change to the hybrid work model, but a temporary situation until this crisis passes,” the email said.
A senior diplomatic source told CBC News that the staff members were told several times over the past year to immediately change passwords or restart software but were given no further details.
Global Affairs said it is working with Shared Services Canada and the Canadian Center for Cyber Security, which is part of the Communications Security Establishment, to restore full connectivity “as soon as possible.”
