Skip to main content

Gabrielle Beaudoin (left), director general of communications for Statistics Canada, Scott Jones (center), assistant deputy minister, IT Security at the Communications Security Establishment, and John Glowacki (right), chief operating officer of Shared Services Canada give a technical briefing on an Internet security vulnerability affecting Government of Canada websites in Ottawa on March 13, 2017. THE CANADIAN PRESS/ Patrick Doyle

PATRICK DOYLE/THE CANADIAN PRESS

Government officials reassured Canadians Monday that none of their personal information was compromised after Statistics Canada's website was hacked and the Canada Revenue Agency's website was shut down as a precautionary measure when similar vulnerabilities were identified in its computer system.

The federal agencies were forced to shut down some of their online services over the weekend after vulnerabilities were found within a Web development tool used by both websites. The software, called Apache Struts2, is used globally in the public and private sectors, including among other governments.

A number of Canadian government websites use Struts2 – seniors officials refused to say exactly how many – but only Statistics Canada and the CRA's systems were using the version that posed a risk. The websites, including the CRA's online tax filing system, were taken offline after the vulnerabilities were identified last week and came back online Sunday evening after the updated – or "patched" – version was installed.

Story continues below advertisement

Subscribers only: Statscan website failures causing uneven playing field for traders, investors

"Due to our quick and pro-active approach, we're confident that we've prevented government information, including the personal information of Canadians, from being breached. We've seen no evidence of this information being compromised," said Jennifer Dawson, deputy chief information officer at the Treasury Board of Canada Secretariat, during a technical briefing with reporters on Monday.

Despite the fact that Cisco Systems Inc. issued an advisory about the Struts2 vulnerability last Monday, officials said the government did not identify the problem within its own computer systems until Wednesday around 10:30 p.m. The Statistics Canada website was hacked the next day and shut down within three to four hours. They said the hacker only accessed the agency's public-facing website and did not appear to steal any information.

"It was most likely a target of convenience. Just some random hacker giving it a shot," said Scott Jones, assistant deputy minister of IT security at the Communications Security Establishment.

Throughout the day, the government scanned for other potential threats and subsequently shut down the CRA's website Thursday night. The CRA website went back online briefly on Friday, but was quickly shut down again. Both websites went back online Sunday evening around 5 p.m. after the vulnerabilities were fully addressed.

The government doesn't know who hacked the Statistics Canada website and is not ruling out the possibility of foreign-government involvement.

"We never rule out anything. We always run these leads as far as we possibly can," Mr. Jones said. "This is a widely used or widely accessible vulnerability, which makes it even harder to do any attribution for this type of activity."

Story continues below advertisement

Patrick Malcolm, an Ottawa-based cybersecurity expert, said the information available on the website is not of much interest to foreign governments.

"The information that would be available on the website to the bad actors would be of minimal value from a nation-state perspective," he said. "It's going to be account information, social insurance numbers … not sensitive to foreign governments."

Shared Services Canada was set up by the previous Harper government to streamline e-mail, data and network services across the federal public service. Its chief operating officer John Glowacki said Monday that the government is proud of its "enterprise" approach to the recent vulnerabilities, as opposed to the silo-like approach that existed before Shared Services Canada was established.

"In talking with colleagues from other countries, we are actually the envy of the Five Eyes countries and others because Shared Services Canada exists, there's this central point."

Mr. Jones warned other Struts2 users, especially businesses, to install the update immediately to avoid a hack.

The CRA also noted that there will be no delay in tax returns this year as a result of last weekend's website shutdown.

Story continues below advertisement

With files from Mike Hager and David Parkinson

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter