MPs warned to change email passwords after cyber attack on Canadian government
Members of Parliament have been asked to change their email passwords and some internet-based services on Parliament Hill have been restricted after what’s being described as a “cyber incident.”
The threat to the government’s information technology infrastructure was identified last Wednesday, said Amelie Crosson, the manager of communications in the Office of the Speaker.
All users served by the House of Commons infrastructure — including members of Parliament and their staff, as well as staff of the House of Commons administration, the Senate, the Library of Parliament, the Parliamentary Protective Service and the Conflict of Interest and Ethics Commissioner — have been affected by the cyber incident.
Critical services for parliamentarians and House of Commons staff continue to function, Crosson said, but some internet-based services remain restricted as mitigation measures continue.
An email sent to all members of Parliament said the incident is still under investigation, and asked users who have not updated their passwords in a previous alert on Oct. 14 to do so the next time they log on to the network.
Several MPs confirmed to the Star that they had been asked to change their passwords.
“It’s concerning to hear that sensitive information from offices of members of Parliament from all parties could have been at risk,” said Conservative MP Matt Jeneroux.
Crosson told the Star that the Speaker’s office doesn’t “have any information to share regarding who might be behind (the cyber attack) or what kind of information could be compromised.”
Crosson added there has been no indication any members’ email accounts were compromised.
However, a Canadian technology analyst said the warning to MPs was “far from a routine communication and suggests very strongly that parliamentary IT has been made aware of a significant cybersecurity risk.”
Carmi Levy says the advice to update passwords suggests “at least one individual has had their credentials compromised, and their authentication information, including usernames and passwords, has been breached and shared.”
In the wrong hands, Levy said, compromised passwords could be used to access secure government accounts and personal accounts, as well as to commit identity theft. Comparing it to a situation in which “the keys to the front door have been stolen, and no one knows where they are,” Levy said password updates are “tantamount to replacing those same locks on the front door.”
The Canadian Centre for Cyber Security, a government agency that provides advice and support for online security, is aware of “a cyber incident,” said spokesman Evan Koronewski, and is supporting the federal government to ensure critical services remain functioning.
The breach comes just months after Global Affairs Canada was the target of a major cyber attack in January. In August, a senior RCMP official told parliamentarians he had “little doubt” they were all being targeted by hostile actors. The House Speaker’s Office stated then that MPs and their staffers received specially configured devices and training on cybersecurity.
A February report from the National Security and Intelligence Committee of Parliamentarians said there were weaknesses in the government’s cyber defence system. The report warned of the risks of state-sponsored hackers from countries like China and Russia accessing the system and stealing sensitive data.
JOIN THE CONVERSATION