Date of Publishing:
The National Security and Intelligence Review Agency (NSIRA) experienced a cyber security breach this past spring linked to the exploitation of Microsoft Exchange vulnerabilities. Between March 9 and March 19, 2021, a third party gained sporadic, unauthorized access to NSIRA’s externally-facing network (the “Protected B” network). The information below provides potentially affected individuals with more information about the breach.
The incident did not affect NSIRA’s classified systems.
What information was compromised?
The compromise resulted in the theft of two files: the first, a file containing system and software configuration settings for one of NSIRA’s servers, and the second comprising NSIRA’s active directory database. NSIRA’s active directory database contained basic information on NSIRA’s network users to facilitate their connection to the IT network. This information generally consisted of an individual’s first and last name, their office and/or personal phone numbers, and their NSIRA email addresses, as well as a hash of current and previously used passwords. Individuals affected by the theft of the active directory database have been directly notified by NSIRA, with a few exceptions. If you are a former employee, contractor or Member who has not heard from us, please contact NSIRA at firstname.lastname@example.org for further information. The active directory database did not contain information about employees of other Government of Canada agencies nor about members of the public.
Did the third party access other information on the Protected B network?
The Canadian Centre for Cyber Security (the “Cyber Centre”) examined NSIRA’s IT infrastructure following the cyber security incident and found no evidence suggesting that the threat actor improperly accessed, or exfiltrated, other information stored on NSIRA’s Protected B network. We cannot fully exclude the possibility, however, that the threat actor may have improperly accessed other information stored on the Protected B network.
What types of personal information are found on NSIRA’s Protected B Network?
NSIRA’s Protected B network hosts a variety of unclassified, Protected A and Protected B documents created by our corporate, review and legal directorates. In addition, the network contained a variety of personal information related to both NSIRA employees and other individuals. The Protected B network also held NSIRA’s email server, which included both encrypted and unencrypted communications.
NSIRA has discussed the contents of its Protected B network with its employees and familiarized them with the type of personal information stored in their regard on NSIRA’s servers. In addition, the Protected B server would have included the following types of personal information on the listed groups:
- Employees of Government of Canada departments and agencies, with whom NSIRA engages in its review, complaint or corporate mandates, particularly their email addresses, signature blocks and the content of email exchanges;
- Information provided by individuals when submitting complaints for investigation by NSIRA, including a summary of their allegations;
- Recent job or contract applicants, whose c.v. and attendant personal information (e.g. work history, residential address and contact information) remained on file;
- On rare occasions, individuals referenced in security clearance forms submitted by employees or job applicants, such as family members and character references, if saved locally by employees on the network or if temporarily retained by NSIRA on the network at the time of the breach;
- Individuals in academic and civil society groups engaged by NSIRA’s outreach efforts, namely their contact information and the contents of e-mail correspondence, and
- Similarly, members of the public, including ATIP requestors, media representatives, and other individuals who have emailed NSIRA.
How did NSIRA respond to the breach?
Upon discovery of the compromise in March, NSIRA worked closely with Shared Services Canada (SSC) and the Cyber Centre to contain the breach and restore the integrity of its systems. Acting on a recommendation from the Cyber Centre, NSIRA has permanently decommissioned its Protected B network and related IT infrastructure. We also reported the matter to the RCMP, who are conducting a law enforcement investigation into the cyber incident.
NSIRA has also reported the privacy breach to the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board Secretariat. We have worked closely with the OPC to assess the privacy implications of the breach and notify affected individuals. Under the Privacy Act, individuals are entitled to register a complaint with the OPC with respect to the treatment of their personal information. Further information about their complaints process, and access to the form, may be found online here.
NSIRA is committed to ensuring that its IT infrastructure reflects best-in-class IT security measures. We continue to collaborate with the Privy Council Office (PCO), the Communications Security Establishment (CSE) and SSC in this regard.
We wish to emphasize that NSIRA has no evidence that any of the broader personal information referred to above was accessed or exfiltrated by the threat actor. We are cognizant of the risks that can arise from breaches of cyber security and recommend the resources below:
Both credit monitoring bureaus in Canada offer a selection of free and fee-based services:
- To obtain a free credit report from Equifax or to learn more about its paid credit monitoring services;
- To obtain a free credit report from TransUnion, or to learn more about its paid products & services;
Certain companies also offer services related to monitoring the Internet for the presence of an individual’s personal information, such as Telus’ Norton LifeLock.
In addition, the Government of Canada and the Office of the Privacy Commissioner have dedicated privacy and cybersecurity webpages, see:
- Government of Canada, Get Cyber Safe!
- Office of the Privacy Commissioner, Protecting Your Privacy Online and Identity theft and You
- Canadian Centre for Cyber Security – Best Practices for Passphrases and Passwords
For further information on the Microsoft Exchange vulnerability, see also:
- Global Affairs Canada, Statement on China’s Cyber Campaigns (July 19, 2021);
- Canadian Centre for Cyber Security: Active Exploitation of Microsoft Exchange Vulnerabilities – Update 4
To speak with NSIRA:
Please do not hesitate to contact us with questions or concerns at email@example.com.
Updates, as applicable, will continue to be posted to NSIRA’s website.
We very much regret the impact of this cyber incident.