Chinese NRC cyber attack breached personal data
Privacy watchdog says full extent of its impact to be determined.
National Research Council
OTTAWA — Hackers who targeted Canada’s National Research Council infiltrated a system containing personal information, the federal privacy czar says.
The privacy commissioner’s office said it was first informed of the breach on July 23 and further briefed on July 28 – at which point the exposure of personal data was confirmed.
The attack appears to be a serious security issue, but the full extent of the impact has yet to be determined, said Tobi Cohen, a spokeswoman for the commissioner’s office.
“We are following developments very closely due to the potential implication for personal information,” Cohen said. “We intend to continue communicating with the NRC to ensure we remain informed of any relevant privacy issues and to determine next steps.”
The federal government revealed the research council’s networks were the target of a cyber attack. The venerable institution carries out advanced studies – often with outside collaborators – in fields including aerospace, mining and health therapeutics.
The council said that since the announcement, it has worked with government partners to isolate its information holdings and revamp internal security procedures.
“As NRC adapts its business processes there will be disruptions to regular business operations,” the council said in a statement, adding it expects to resume activities “in an orderly manner” over the next few weeks and months.
The council plans to build a new information technology system to reduce the risk of future cyber threats – a project that could take one year.
Canada has squarely blamed the intrusion on a highly sophisticated Chinese state-sponsored player. Beijing has denied involvement, accusing Canada of making irresponsible accusations.
“The Chinese government consistently opposes criminal activities of all forms aimed at sabotaging the Internet and computer networks,” China’s foreign ministry said in a statement on its website.
“It is irresponsible for the Canadian side to make groundless accusations against China when there is no credible evidence. We are strongly opposed to that. We urge the Canadian side to correct their mistakes, stop making baseless accusations and redress the negative impacts incurred by their statement.”
Prime Minister Stephen Harper said this week there is “no doubt” China initiated the digital assault.
In an October 2012 report, the federal auditor general said the Conservative government had been slow to mount an effective response to the expanding threat of cyber attacks on vital systems.
In his report, Michael Ferguson revealed the government had made only limited progress in shoring up crucial computer networks and had lagged in building partnerships with other players.
Assaults that crippled computers at the Finance Department and Treasury Board in January 2011 have been linked to efforts – possibly originating in China – to gather data on the potential takeover of a Canadian potash company.
Following the auditor’s report, the government spelled out plans to implement various recommendations.
Almost two years later, Harris says there’s reason to believe Canada isn’t doing enough.
“If they have a plan, it clearly isn’t working yet. And we want to know what it is they’re going to do to make sure it works,” he said.
“The question is prevention, and not discovering that someone’s robbed your house.”
© 2014 The Canadian Press