Privacy watchdog says NRC system holding personal data hacked

OTTAWA—Hackers who targeted Canada’s National Research Council (NRC) infiltrated a system containing personal information, the federal privacy czar says.

The privacy commissioner’s office said it was first informed of the breach July 23 and further briefed July 25, at which point the exposure of personal data was confirmed.

The attack appears to be a serious security issue, but the full extent of the impact has yet to be determined, said Tobi Cohen, a spokesperson for the commissioner’s office.

“We are following developments very closely due to the potential implication for personal information,” Cohen said. “We intend to continue communicating with the NRC to ensure we remain informed of any relevant privacy issues and to determine next steps.”

The federal government revealed Tuesday that the research council’s networks were the target of a cyberattack.

The venerable institution carries out advanced studies—often with outside collaborators—in fields including aerospace, mining and health therapeutics.

The council said this week that since the announcement, it has worked with government partners to isolate its information holdings and revamp internal security procedures.

“As (the) NRC adapts its business processes there will be disruptions to regular business operations,” the council said in a statement, adding it expects to resume activities “in an orderly manner” over the next few weeks and months.

The council plans to build a new information technology system to reduce the risk of future cyberthreats—a project that could take one year.

Canada has squarely blamed the intrusion on a highly sophisticated Chinese state-sponsored player.

Beijing has denied involvement, accusing Canada of making irresponsible accusations.

“The Chinese government consistently opposes criminal activities of all forms aimed at sabotaging the Internet and computer networks,” China’s foreign ministry said in a statement on its website.

“It is irresponsible for the Canadian side to make groundless accusations against China when there is no credible evidence. We are strongly opposed to that. We urge the Canadian side to correct their mistakes, stop making baseless accusations and redress the negative impacts incurred by their statement.”

Prime Minister Stephen Harper said this week there is “no doubt” China initiated the digital assault.

Canada must stand up to Beijing over such attacks, said Liberal public safety critic Wayne Easter, a former solicitor general who once oversaw Canada’s main spy agency.

“We have a long-term relationship with China, and our relationship—both from a commercial and a trade point of view—is important. But we’re in a technological world where our efforts to do the right thing on our own side to protect our interests has to happen.”

NDP defence critic Jack Harris said he has no problem with Canada pointing a finger at Beijing “if they have the proof that the Chinese actually did it.”

In the face of denials, Canada should seek assurances that state-sponsored hacking is not taking place if the Chinese “want to be good neighbours,” Harris added.

In an October 2012 report, the federal auditor general said the Conservative government had been slow to mount an effective response to the expanding threat of cyberattacks on vital systems.

In his report, Michael Ferguson revealed the government had made only limited progress in shoring up crucial computer networks and had lagged in building partnerships with other players.

Assaults that crippled computers at the Finance Department and Treasury Board in January 2011 have been linked to efforts—possibly originating in China—to gather data on the potential takeover of a Canadian potash company.

Following the auditor’s report, the government spelled out plans to implement various recommendations.

Almost two years later, Harris says there’s reason to believe Canada isn’t doing enough.

“If they have a plan, it clearly isn’t working yet. And we want to know what it is they’re going to do to make sure it works,” he said.

“The question is prevention, and not discovering that someone’s robbed your house.”