National Post (National Edition)
Government acted ‘within hours’ of finding bug
OTTAWA • A security breach at Statistics Canada’s main website prompted the government to shut down a number of services over the weekend, including electronic tax filing at the Canada Revenue Agency, officials confirmed Monday.
That shutdown helped to ensure that the private information of Canadians was never compromised, officials said during a briefing to explain why the statistical agency’s site and that of the CRA had been largely unavailable.
Federal IT security officials were made aware of a bug in a computer program widely used by the federal government late Wednesday, Shared Services Canada’s chief operating officer, John Glowacki, told the briefing.
But it wasn’t until Thursday, after a breach was discovered at Statistics Canada, that the plug was pulled on the agency’s web servers.
“Thursday, at about midday, the StatCan information came to light ... based on a variety of systems we have scanning the environment,” Glowacki explained.
“Within, I’d say, three to four hours ... (from) when we recognized that there was activity on the server that wasn’t authorized, it was taken off-line.”
That action launched a cascade of events that resulted in online services at CRA being shut down as well. The tax agency took several of its web-based services off-line as a precaution Friday as IT experts scanned other government departments to see whether they could be affected by a problem that was detected in computer servers used by websites worldwide.
By late Sunday, CRA reported it had fixed its systems, tested for the vulnerability and had brought the services back online.
The CRA services affected by the shutdown included “My Account,” “My Business Account,” “Netfile,” “EFILE” and “Auto-Fill My Return.”
Statistics Canada’s main website, which officials described as a “soft target,” was also back up and running by late Sunday.
Officials maintained that no personal data had been compromised before CRA took what they described as a preventive measure.
“There was unauthorized access to our web server,” Gabrielle Beaudoin at Statistics Canada confirmed. “That server does not contain any personal or sensitive information.”
The government also insisted that all affected departments “acted very quickly” to deal with the issue.
IT news website ArsTechnica reported last week that the vulnerability had been identified by the international cybersecurity community as early as Monday, and that by mid-week attacks were escalating on websites by hackers using a code-execution bug in the web application framework known as Apache Struts 2.
The “critical vulnerability” allowed hackers to take almost complete control of web servers used by banks, government agencies, and large Internet firms.