OTTAWA—Statistics Canada was hacked and taxpayer information was made vulnerable after an online software update revealed a security flaw on government websites last week, officials say.
No personal or commercial information was accessed during the window of vulnerability that forced the Statistics Canada and Canada Revenue Agency websites offline from late Thursday and early Friday until Sunday afternoon, government officials told reporters Monday.
Scott Jones, assistant deputy minister of information technology security with the Communications Security Establishment (CSE), said it is too soon to say who was behind any hacking attempts, and described the successful access of the Statistics Canada site as most likely a “target of convenience — just some random hacker giving it a shot.”
“There were no other compromises to our knowledge, and believe me, we were all over this,” said John Glowacki, chief operating officer for Shared Services Canada, the federal government’s central IT branch.
“We’re confident that we’ve prevented government information, including the personal information of Canadians, from being released.”
The problem was identified last Wednesday at around 10:30 p.m., Glowacki said. It was flagged in the frequent communications the government receives from online security partners around the world about potential threats. This time it was through widely-used website design software, Apache Struts 2, which was identified as a gateway to potential hackers and needed to be updated, the officials explained.
Many federal websites use this software, along with companies and governments around the world, said Jones, who described the vulnerability as a global problem.
Officials noticed Thursday that Statistics Canada’s public site had been accessed by an unauthorized user, Jones said. That website was taken down Thursday night.
The Canada Revenue Agency was also considered vulnerable to hackers and the website was taken offline from early Friday morning until 5 p.m. on Sunday. Officials said that people were not able to file their taxes online during that time but they don’t anticipate any delays ahead of the tax season deadline this spring.
Glowacki said the websites were only vulnerable for “a matter of hours.” While an investigation continues, it appears the Statistics Canada site was the only one improperly accessed. “Nothing happens in these systems without logging,” he said.
Jones added, “We took the systems offline very quickly.”