StatCan breach derails online tax filing, services
Problem fixed, no personal information compromised, feds say
OTTAWA — A security breach at Statistics Canada’s main website prompted the government to shut down a number of services during the weekend, including electronic tax filing at the Canada Revenue Agency, officials confirmed on Monday.
That shutdown helped to ensure that the private information of Canadians was never compromised, officials said during a briefing to explain why the statistical agency’s site and that of the CRA had been largely unavailable.
Federal IT security officials were made aware of a bug in a computer program widely used by the federal government late Wednesday, Shared Services Canada’s chief operating officer, John Glowacki, told the briefing.
But it wasn’t until Thursday, after a breach was discovered at Statistics Canada, that the plug was pulled on the agency’s web servers.
“Thursday, at about midday, the StatCan information came to light … based on a variety of systems we have scanning the environment,” Glowacki explained.
“Within, I’d say, three to four hours … [from] when we recognized that there was activity on the server that wasn’t authorized, it was taken offline.”
That action launched a cascade of events that resulted in online services at the Canada Revenue Agency being shut down as well.
The tax agency took several of its web-based services offline as a precaution Friday as IT experts scanned other government departments to see whether they could be affected by a problem that was detected in computer servers used by websites worldwide.
By late Sunday, CRA reported it had fixed its systems, tested for the vulnerability and had brought the services back online.
The CRA services affected by the shutdown included “My Account,” “My Business Account,” “Netfile,” “EFILE” and “Auto-Fill My Return.”
Statistics Canada’s main website, which officials described as a “soft target,” was also back up and running by late Sunday.
Officials maintained that no personal data had been compromised before CRA took what they described as a preventive measure.
“There was unauthorized access to our web server,” Gabrielle Beaudoin, director general of communications at Statistics Canada, confirmed. “That server does not contain any personal or sensitive information.”
The government also insisted that all affected departments “acted very quickly” to deal with the issue.
IT news website ArsTechnica reported last week that the vulnerability had been identified by the international cybersecurity community as early as last Monday, and that by mid-week attacks were escalating on websites by hackers using a codeexecution bug in the web application framework known as Apache Struts 2.
The “critical vulnerability” allowed hackers to take almost complete control of web servers used by banks, government agencies, and large Internet firms.
Despite a patch being made quickly available, hackers were still exploiting the bug throughout the week to inject their own commands into servers that had not yet installed the update, said ArsTechnica.
Researchers at Cisco Systems said they had seen a “high number of exploitation events” by hackers attempting to carry out a range of malicious acts.
Attackers were injecting commands into web pages to prevent firewalls from protecting the servers, allowing malware to be uploaded that could, among other things, hide their real IP address during Internet chats or cause a denial of service.
“These are several of the many examples of attacks we are currently observing and blocking,” Cisco’s Nick Biasini wrote on the Hack Players website.
“The payloads being delivered vary considerably, and to their credit, many of the sites have already been taken down and the payloads are no longer available.”
Canadian officials said Monday that other countries that had not responded quickly to the vulnerability were facing more serious breaches.