Documents released under the Access to Information Act and obtained by CBC News offer insight into the consequences for private sector interests when a government institution they work with is breached.
The two companies were among those notified by the NRC in the days after the cyberattack that their data had been hacked. Both were subsequently approached by Chinese companies about their businesses.
The federal government blamed the attack on a Chinese state-sponsored actor.
One Canadian businessman wrote an email to the NRC saying, "It's somewhat ironic, that Canada's premier R&D organization, the NRC, although cutting edge with many new technologies, doesn't seem to have equivalent cutting-edge protection of its computer networks setup."
That person added, "I thought it quite 'coincidental,' that one day after receiving your letter, that this morning, I received the email below, from a Chinese company attempting to pedal [sic] its services to us."
He attached that email from the Chinese official which says, "We know that you are influential for [redacted] industry. Do you plan to import products with low cost and high quality from China? It were [sic] our honor if we can be your potential supplier," adding, "If you could share with us your process of becoming a qualified supplier we would like to provide you with options and expertise in the [redacted] area."
Much of both emails has been blacked out by access to information officials, for privacy reasons.
Company sought advice
Another Canadian company that had done work with the NRC called the NRC to express concern.
An email exchange after the phone call says the company has technology and a patent that deals with cyberintrusions.
The businessman said he found it strange that the Chinese were suddenly interested in buying his cybertechnology only days after the NRC system was hacked.
He wanted advice on what to do with the offer from the Chinese.
Just after the attack was discovered in July, the federal government directly fingered China for the first time.
In a statement, the federal government's chief information officer said "the government of Canada, through the work of the Communications Security Establishment, detected and confirmed a cyberintrusion on the IT infrastructure of the National Research Council of Canada, by a highly sophisticated Chinese state-sponsored actor."
No more email for sensitive information
Since then, NRC officials have told companies not to communicate sensitive information via email, but to transfer documents on a USB drive, or in paper form.
CBC asked the NRC to comment on what happened with the two Canadian companies, but in an email was told "for security reasons [the NRC] can't provide information on this issue."
The documents also show NRC officials were not telling clients much about what happened during the cyberattack.
For example, employees were not allowed to tell clients what exact information was breached and what was the severity of the situation.
According to talking points, employees were told to say they could not elaborate for "security and confidentiality reasons."Suggest a correction