Canadian Armed Forces, Mounties exposed in data breach

Updated on: 20 November 2023

Vilius Petkauskas
Deputy Editor

Mounties data breach — Image by Shutterstock.

The third-party breach exposed decades’ worth of data on Canada’s public servants, members of the armed forces, and the Royal Canadian Mounted Police (RCMP).

Data breaches on Brookfield Global Relocation Services (BGRS) and SIRVA Canada systems have likely exposed everyone who has used relocation services within the Canadian government since 1999.

BGRS has provided relocation services to the Canadian government since the mid-’90s and administers tens of thousands of federal moves each year, including military overseas deployments.

Both BGRS and SIRVA Canada were contracted by the Canadian government to provide relocation support to government employees. Such services include financial, logistical, and other support for employees changing work locations.

According to the Canadian government, the breach involves information held by BGRS and SIRVA Canada about current and former Government of Canada employees, members of the Canadian Armed Forces (CAF), and the RCMP, which is the national police service of Canada.

“Preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies,” reads the government’s statement.

Canadian journalists reported on a suspected breach in late October, alleging that BGRS was hacked. It’s hard to overstate the sensitivity of the breach as it likely involves the personal data of all military personnel that Canada has moved in the last 24 years.

For example, Canada’s largest ongoing overseas mission, Operation Reassurance, involves around 1,000 Canadian troops stationed in Latvia, a NATO member country bordering Russia, with plans to double Canada’s presence in the region.

Theoretically, attackers could access information about every CAF troop on NATO’s eastern flank.

While it’s unclear how many people were impacted by the cyberattack, authorities vouched to provide credit monitoring services and cover the costs of “reissuing valid passports that may have been compromised.”

The government also advised impacted individuals to update login credentials that may be similar to those used with BGRS or SIRVA Canada, establish multi-factor authentication on accounts used for online transactions, and monitor financial and personal online accounts for unusual activity.