Ottawa

Privacy watchdog investigating hack linked to military, RCMP moves

Canada's privacy commissioner is investigating a cyberattack targeting a system used to relocate members of the military and foreign service. 

Personal information dating back 24 years may be compromised

Three soldiers, laden with gear, march across the grounds of a military base.
Canadian troops on the move at CFB Kingston in Kingston, Ont., on Nov. 23, 2015. Two companies that help relocate military and RCMP employees were hacked, and now Canada's privacy commissioner is investigating. (Lars Hagberg/The Canadian Press)

Canada's privacy commissioner has launched an investigation into a cyberattack targeting private companies that help relocate military, federal police and foreign service members across the country and around the world. 

In October, the Department of National Defence (DND) issued an internal note alerting members of the breach, which involved personal information of Canadian government employees held by Brookfield Global Relocation Services (BGRS). 

BGRS has been providing relocation services to the Canadian government since 1995. According to an online DND document, it administers 20,000 federal moves each year involving over 8,000 suppliers.

On Thursday, the Office of the Privacy Commissioner of Canada announced it's looking into two companies — BGRS as well as Sirva Canada LP, which transports household goods — that are contracted by the government to provide relocation services.

Public Services and Procurement Canada and the Treasury Board of Canada Secretariat (TBS) will both be scrutinized under the Privacy Act, said the commissioner's office.

The watchdog said it will look at "the adequacy of the safeguards" that the companies and the government had in place to protect employees' personal information.

"Given the broad scope and potentially sensitive nature of the compromised personal information, I have determined that this breach must be investigated so that we can understand why this happened and what must be done to remedy the situation and prevent such things from happening again," wrote federal Privacy Commissioner Philippe Dufresne in a news release.

Compromise may date back to 1999

Last Friday, TBS released a statement outlining the steps the government is taking to respond to the breach.

The department said current and former federal government employees, members of the Canadian Armed Forces and Royal Canadian Mounted Police were affected. It's since reported the incident to the Canadian Centre for Cyber Security, the RCMP and the privacy commissioner.

TBS said a "significant volume of data" is being assessed so it can't yet identify individuals who have been impacted. 

"However, preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies," reads the statement. 

The department said it will provide credit monitoring services and reissue valid passports that may have been compromised to members who've relocated in the last 24 years. Details about these services will be provided "as soon as possible," TBS said. 

Meanwhile, the government advises people who may be affected to take precautionary measures, such as updating login credentials that may be similar to those used with BGRS or SIRVA, enabling multi-factor authentication, and monitoring financial and personal accounts for unusual activity. Current and former employees are asked to contact their departmental privacy teams should they have further questions.

TBS said it is verifying that the companies are addressing these vulnerabilities.