Canadian authorities are investigating a prolonged data security breach following a "disclosure of malicious cyber activity" affecting the internal network used by Global Affairs Canada employees, according to internal department emails obtained by CBC News.

The breach affects at least two internal drives, as well as the emails, calendars, and contacts of many employees.

CBC News spoke to multiple sources familiar with the situation, including employees who were instructed on how the breach impacted their ability to work, and some were asked to stop working remotely as of last Wednesday.

CBC News also witnessed the sending of three internal emails to Global Affairs employees.

One email stated: "Forensic work has also progressed to help us understand the scope of the data breach." "Work is ongoing, but initial findings indicate that many Global Affairs Canada users may have been affected."

Another email mentioned that internal systems were compromised between December 20, 2023, and January 24, 2024, and informed anyone remotely connected using a SIGNET laptop (the Secure Integrated Global Network) that their information may have been at risk.

The "compromised" system was the virtual private network (VPN) used by company employees to access the Global Affairs headquarters in Ottawa. The GAC notice said the VPN system was managed by Shared Services Canada.

Shared Services Canada is a federal agency established in 2011 to deliver email, data centers, and network services to many government departments and agencies.

Global Affairs Canada confirms the breach

In a statement issued Tuesday, Global Affairs Canada said that an "unplanned IT outage" is affecting remote access to its network, and the department said the partial outage was deliberately activated on January 24 "to address the discovery of malicious cyber activity."

The statement said: "Initial findings indicate a data breach occurred and there was unauthorized access to user personal information, including employees," adding that the department is investigating the matter and communicating with those affected to ensure the security of their information.

The statement also said that communication within GAC buildings is fully operational and that employees working remotely in Canada have been provided with alternative solutions.

"The department's critical services and external communication channels remain available and operational."

According to Global Affairs, SIGNET is the department's secure computer network, with one part of the network holding personal information on shared drives, including employee personal information, and another part carrying classified information.

It is unclear whether the classified information was lost in the breach that lasted more than a month, and it is also unclear who was behind the breach.

A GAC memo to employees said that email and file traffic on personal and shared drives "may have been compromised." GAC also said it is investigating whether "sensitive company information," such as credit cards and banking data, was compromised.

The email sent by GAC to employees said that Shared Services Canada and the Canadian Centre for Cyber Security – part of the Communications Security Establishment, Canada's cybersecurity agency – are investigating the breach.

"Forensic work, including with these partners, is ongoing to help us understand the impact on our networks and any potential changes in the scope and timeline of the data breach," the email from GAC to employees said.

The Office of the Privacy Commissioner said that Global Affairs Canada reported the data breach to it on January 26.

A department spokesperson said in a media statement: "We are in continuous contact with the department to gather more information." "Following breach notification, our office will work with federal institutions to better understand the privacy risks related to the breach and ensure that the department takes appropriate steps, including notifying affected individuals."

Global Affairs Canada is a "natural target"

Wesley Wark, a national security expert at the University of Ottawa, said: "A breach of this duration has to be serious."

"Global Affairs Canada holds a lot of sensitive and classified information... It is a natural target for hacking but also vulnerable and holds important data."

Although sensitive diplomatic cables are sent using an encrypted system, a source told CBC News that some drafts of sensitive correspondence and some intelligence information may have been stored on the affected drives.

An email sent to employees said: "We recognize that this information may be concerning to many of you." "This is a developing situation and more information and guidance will be shared as soon as possible."

The email offers suggestions on how to protect "sensitive information" and encourages employees to monitor financial accounts for any unauthorized activity.

Meanwhile, some Global Affairs employees residing in Canada with security clearance are unable to work from home.

The email said: "This is not a permanent change to the hybrid work model but a temporary situation until this crisis passes."

A senior diplomatic source told CBC News that on several occasions last year, employees were asked to change passwords or immediately restart software, but were not given any further details.

Global Affairs said it is working with Shared Services Canada and the Canadian Centre for Cyber Security, part of the Communications Security Establishment, to restore full connectivity "as soon as possible.