Canada’s privacy watchdog investigating hack affecting military and RCMP personnel

The Privacy Commissioner of Canada is investigating a cyberattack that compromised data on current and former members of the country’s armed forces and the Royal Canadian Mounted Police (RCMP).

Two affiliated companies, Brookfield Global Relocation Services (BGRS) and Sirva Canada LP, informed the Canadian government of the breach in October.

The companies have been contracted by the Canadian government to provide relocation services for personnel since 1995, and are involved in around 20,000 moves each year.

The incident has since been reported to both the Canadian Centre for Cyber Security and the RCMP.

According to the Canadian government, such a “significant volume of data” is being analyzed that investigators have not yet identified which individuals were affected by the breach.

Citing preliminary information the government cautioned that “any personal and financial information that employees provided to the companies” could have been accessed.

The breach might have affected “anyone who has used relocation services as early as 1999” might be affected, meaning — assuming the rate of relocations has remained consistent — around 480,000 people.

“Given the broad scope and potentially sensitive nature of the compromised personal information, I have determined that this breach must be investigated so that we can understand why this happened and what must be done to remedy the situation and prevent such things from happening again,” said Privacy Commissioner Philippe Dufresne.

The watchdog said that the number of individuals affected is unknown, but the Canadian government “is taking a proactive, precautionary approach to support those potentially affected.”

Its investigation will examine “the adequacy of the safeguards” that both companies and the federal government had in place to protect service personnel’s data, as required under the country’s Privacy Act.

In addition, the watchdog will also investigate whether the security incident involved a breach of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector law.

While the country’s Privacy Act does not contain a power for the regulator to fine companies for failing to adequately protect data — unlike the EU’s GDPR — companies can be fined up to $100,000 CAD ($73,000) for each violation under PIPEDA.

The Canadian government said it would provide credit monitoring services and reissue valid passports to any personnel who had relocated within the past 24 years.