Cyber Incident Victim: Global Affairs Canada
Date:
Dec 2023
Location:
Canada
Summary
A prolonged cybersecurity breach at Global Affairs Canada compromised internal systems, including employee emails, calendars, contacts, and shared drives, leading to unauthorized access of personal information. The incident, detected during an unplanned IT outage, affected remote access via a vulnerable VPN managed by a federal partner, prompting temporary work-from-home suspensions and ongoing forensic investigations to determine the full scope, which may involve sensitive corporate data. Authorities, including national cybersecurity agencies, are collaborating to restore connectivity and assess potential risks to classified materials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The breach at Global Affairs Canada (GAC) was first detected on January 24, 2024, prompting an immediate partial network outage to contain malicious cyber activity that had persisted undetected since December 20, 2023. Forensic analysis revealed unauthorized access to the department's virtual private network (VPN), managed by Shared Services Canada, which remote employees used to connect to GAC's Ottawa headquarters. The compromised systems included at least two internal drives containing employee data, as well as email accounts, calendars, and contact lists. Internal communications confirmed that "many" staff members were affected, with personal information potentially exposed, though the full scope remained under investigation. While classified information resides on a separate network segment, unclassified drafts of sensitive correspondence and intelligence materials stored on breached drives may have been accessed. The department acknowledged unauthorized access to employee personal data but could not confirm whether sensitive corporate information—such as credit card details or banking data—was exfiltrated.
In response, GAC disabled remote access via SIGNET laptops on January 24, forcing Canada-based employees with security clearances to work onsite using functional office networks while remote staff received temporary workarounds. Shared Services Canada and the Canadian Centre for Cyber Security launched a forensic investigation to determine the breach's origin, duration, and data impact, with preliminary findings shared internally as early as January 26. The Office of the Privacy Commissioner was notified that same day, initiating collaborative risk assessments and individual breach notifications. Employees received directives to monitor financial accounts for suspicious activity and implement enhanced safeguards for sensitive information, though some staff reported prior unexplained password-reset orders without context. GAC characterized the remote-work suspension as temporary, emphasizing that critical services and diplomatic communications remained operational throughout the incident.