Ottawa now says the data theft at companies that handle moving arrangements of federal staff includes that of members of the Canadian Armed Forces, current and former federal employees, and Royal Canadian Mounted Police personnel for the past 24 years.
The revelation was made in a statement Friday by the Treasury Board, which is responsible for all federal employees. Although the government was made aware of the theft of personal information from Brookfield Global Relocation Services (BGRS) and SIRVA Canada on Oct. 19, it still doesn’t know how many people were involved.
The statement says there is a “significant volume” of data being analyzed, but “preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies.”
BGRS handles relocation services for the public and private sector, helping employees who are transferred to new positions. SIRVA Canada systems handles actual moving services. According to the BGRS website, it oversees more than 20,000 relocations a year. Over 8,000 suppliers support its relocation program. The two companies are close. Last year SIRVA Canada’s American parent, SIRVA Inc., and BGRS, created a new merged organization called SIRVA BGRS Worldwide.
The first public inkling of a problem came Oct. 20, when CBC News reported that the Defence Department had issued an internal note to employees warning BGRS had suffered an incident. That note was given to the news service after a number of military members contacted it because the BGRS online portal wasn’t available. That Defence Department note was also made public, saying that on Sept. 29, the government was informed of an “incident”, but by Oct. 19, there was confirmation that unauthorized access had been obtained to information held by BGRS.
The Treasury Board statement says the data was held by both BGRS and SIRVA Canada IT systems. The government has contracts with BGRS and SIRVA Canada to provide relocation support to employees, the statement says. It adds that the data theft has been reported to the Canadian Centre for Cyber Security, the Office of the Privacy Commissioner, and the Royal Canadian Mounted Police.
The statement says the government “is meeting with BGRS and SIRVA Canada on a regular basis to monitor progress on the issue. This will continue until we have a full assessment of the breach and its impacts.”
In the meantime, Ottawa advises any federal employee who used BGRS and SIRVA Canada since 1999 to:
- update login credentials they use for any email, website or social media that may be similar to ones they created for BGRS or SIRVA Canada;
- enable multi-factor authentication on accounts that are used for any online transactions;
- monitor their financial and personal online accounts for any unusual activity.
Rather than wait for a complete list of victims, Ottawa says credit monitoring or reissuing valid passports that may have been compromised will be provided to current and former members of the public service, RCMP, and the Canadian Armed Forces who have relocated with BGRS or SIRVA Canada during the last 24 years.