The Canada Revenue Agency headquarters in Ottawa is shown on November 4, 2011.Sean Kilpatrick/The Canadian Press
Canada's federal agencies in charge of statistics and taxes both say they have fixed vulnerabilities in their computer systems that forced them to shut down some online services over the weekend.
The Canada Revenue Agency said Sunday evening that it had fixed a security threat that led it to suspend online tax filing on Friday. Statistics Canada's website was down from early Friday morning until about 9:30 p.m ET Sunday evening. The outage prevented the agency from its normal Internet dissemination of its monthly Labour Force Survey employment statistics, one of the most important economic releases on Statscan's calendar.
Spokespeople for both agencies could not say late Sunday whether these vulnerabilities were related, but both stated there was no evidence that hackers had accessed anyone's personal information through the hole in the systems.
"In the last 48 hours, the CRA has worked around the clock with other government departments to implement a solution to address the vulnerability," CRA spokeskesperson Patrick Samson said in an e-mailed statement. "We are now confident that the solution has been rigorously and successfully tested and services returned online. We took this action as a precaution, not as the result of a successful hack or breach."
Digital services were off-line during the scare until officials were satisfied there was no longer a security risk, he said. Canadians should not expect a delay in getting their refunds this tax season, he added.
In a statement released late Sunday, Statscan said: "Due to a recent vulnerability impacting specific computer systems worldwide, we took our website offline and are working in close collaboration with Shared Services Canada to address this issue and are resuming services as we are assured that information and systems are safe."
Shared Services Canada, the government agency set up by the previous Harper government to streamline the e-mail, data and network services across the federal public service, has come under considerable criticism over the past year for several high-profile problems related to government information systems, including unpaid paycheques and an RCMP communications outage.
Statscan suffered repeated short interruptions on its website as well as a more serious seven-hour outage of its systems last summer, coincidentally also on a day when it released its Labour Force Survey. The previous head of Statscan, Wayne Smith, cited issues surrounding Shared Services' handling of Statscan's information systems when he resigned in September, saying they compromised the statistical agency's independence.
Both Statscan and Shared Services referred inquiries about the latest system interruptions to the Treasury Board of Canada Secretariat. Alain Belle-Isle, spokesman for the TBS, said Sunday evening that the servers of "some organizations, including Statistics Canada and the Canada Revenue Agency," were taken offline "as a precautionary measure," but there was no evidence that government systems had actually been hacked.
"The vulnerability is in a third-party application that's used to run a variety of websites in the public and private sectors. It's not exclusive to government websites or to websites interacting with the government. It affects all kinds of websites worldwide," he said in an e-mail.
"We took pre-emptive action to patch the vulnerability in our own systems. There's no indication that there was a breach," he said.
"We are monitoring the situation closely," Mr. Belle-Isle said. "Canadians can be assured that servers will only be brought back into service once we have taken all necessary steps to protect the security of our systems and Canadians' personal information."
It is unknown if the problem identified by the CRA last week is similar to the Heartbleed bug, a security loophole in software protecting encrypted websites around the world that allowed unauthorized people to access data that was supposedly protected.
Heartbleed forced the tax agency to shut down its filing system in 2014 to protect Canadians from having their personal information stolen.
The 2014 shutdown came only weeks before the April 30 tax deadline, forcing a delay.
The tax agency said about 900 social insurance numbers were stolen during that breach. Days after the shutdown, the RCMP arrested a 19-year-old computer science student from London, Ont., for allegedly exploiting Heartbleed to steal the data.
A year after that major security breach, the agency conducted an internal security test and found thousands of its employees could not resist the lure of a phony e-mail phishing scam.
In a security test over the first three months of 2015, the agency's security and internal-affairs division sent 16,000 employees an e-mail designed to replicate the potentially dangerous messages that are common to anyone with an e-mail account, The Globe and Mail learned.
A phishing scam usually involves an e-mail that encourages a user to click on a link, which could then expose the user's computer to malicious software.
The result of the CRA's test was that 78 per cent of employees did not click on the link contained in the phishing attempts.
However, that means roughly 3,500 employees did fall for the scam, even though they were informed ahead of time that the test would take place.
A spokesperson for the CRA said at the time that these results would lead to further employee training.
Recent polls show human error is a growing factor in security incidents, including failing to follow security procedures and failure of staff to get up to speed with new threats.
With a report from The Canadian Press.
Mike Hager
David Parkinson