Government officials reassured Canadians Monday that none of their personal information was compromised after Statistics Canada's website was hacked and the Canada Revenue Agency's website was shut down as a precautionary measure when similar vulnerabilities were identified in its computer system.
The federal agencies were forced to shut down some of their online services over the weekend after vulnerabilities were found within a Web development tool used by both websites. The software, called Apache Struts2, is used globally in the public and private sectors, including among other governments.
A number of Canadian government websites use Struts2 – seniors officials refused to say exactly how many – but only Statistics Canada and the CRA's systems were using the version that posed a risk. The websites, including the CRA's online tax filing system, were taken offline after the vulnerabilities were identified last week and came back online Sunday evening after the updated – or "patched" – version was installed.
"Due to our quick and pro-active approach, we're confident that we've prevented government information, including the personal information of Canadians, from being breached. We've seen no evidence of this information being compromised," said Jennifer Dawson, deputy chief information officer at the Treasury Board of Canada Secretariat, during a technical briefing with reporters on Monday.
Despite the fact that Cisco Systems Inc. issued an advisory about the Struts2 vulnerability last Monday, officials said the government did not identify the problem within its own computer systems until Wednesday around 10:30 p.m. The Statistics Canada website was hacked the next day and shut down within three to four hours. They said the hacker only accessed the agency's public-facing website and did not appear to steal any information.
"It was most likely a target of convenience. Just some random hacker giving it a shot," said Scott Jones, assistant deputy minister of IT security at the Communications Security Establishment.
Throughout the day, the government scanned for other potential threats and subsequently shut down the CRA's website Thursday night. The CRA website went back online briefly on Friday, but was quickly shut down again. Both websites went back online Sunday evening around 5 p.m. after the vulnerabilities were fully addressed.
The government doesn't know who hacked the Statistics Canada website and is not ruling out the possibility of foreign-government involvement.
"We never rule out anything. We always run these leads as far as we possibly can," Mr. Jones said. "This is a widely used or widely accessible vulnerability, which makes it even harder to do any attribution for this type of activity."
Patrick Malcolm, an Ottawa-based cybersecurity expert, said the information available on the website is not of much interest to foreign governments.
"The information that would be available on the website to the bad actors would be of minimal value from a nation-state perspective," he said. "It's going to be account information, social insurance numbers … not sensitive to foreign governments."
Shared Services Canada was set up by the previous Harper government to streamline e-mail, data and network services across the federal public service. Its chief operating officer John Glowacki said Monday that the government is proud of its "enterprise" approach to the recent vulnerabilities, as opposed to the silo-like approach that existed before Shared Services Canada was established.
"In talking with colleagues from other countries, we are actually the envy of the Five Eyes countries and others because Shared Services Canada exists, there's this central point."
Mr. Jones warned other Struts2 users, especially businesses, to install the update immediately to avoid a hack.
The CRA also noted that there will be no delay in tax returns this year as a result of last weekend's website shutdown.
With files from Mike Hager and David Parkinson