Cyber attackers broke into a Statistics Canada server on March 9, forcing the federal data agency to take its website offline for hours, but senior government officials stressed there was no evidence of any personal privacy breaches.
Even so, the attack accelerated a hunt across government already in progress for similar vulnerabilities, and led the Canada Revenue Agency to shut down its tax filing portal over the weekend, officials said Monday in a briefing to reporters in Ottawa.
This was a "specific and credible threat to certain government IT systems," said Shared Services Canada Chief Operating Officer John A. Glowacki Jr.
A senior official from the Communications Securities Establishment (CSE), Canada's electronic spy agency, told reporters that it was "extremely difficult" to pinpoint who was behind the attack.
Statistics Canada’s website was down last Thursday afternoon after government IT officials discovered that its server had been penetrated, said Gabrielle Beaudoin, the agency’s director general for communications.
The server contained public-facing materials like data tables and publications, said Beaudoin, but the fact that the breach had occurred was enough to spook officials to close the door.
She assured Canadians that "systems that house personal information were not reached by this issue."
The episode at the data agency occurred within 24 hours of government officials becoming aware late in the day on March 8 of an update to a web application framework, widely used across government of Canada servers, that could be exploited, said Glowacki.
The vulnerability involves a specific upgrade version of Apache Struts 2, an open-source framework for developing web applications using Java. Glowacki said a “variety of departments” in the Canadian federal government use this software.
As part of a hunt across government that involved Treasury Board and CSE, which is also the agency that advises the government on how to protect its computer networks, officials also decided to take offline portions of the CRA where Canadians file taxes.
That ability was removed at midnight on March 10, said Francois Dicaire, the tax agency’s deputy assistant commissioner for IT.
It was back online at 1:30 a.m., said Dicaire, but due to another security warning from CSE it was taken offline again at 2 p.m. to "proactively protect taxpayer information.” Service was restored again on March 12 at 5 p.m., he said.
There was "no reason to believe there was unauthorized access to taxpayer information,” said Dicaire. He said the agency wasn’t planning on extending its tax filing deadline.
The CRA, already in a critical moment of the year as Canadians file their tax returns ahead of the April 30 deadline, faced questions on social media over the weekend after announcing the website outage.
Vulnerability alerts are issued many times a day, explained Scott Jones, Assistant Deputy Minister of IT Security at CSE, and officials must "triage" to act on the most important threats. The government became aware, after looking at this vulnerability, what the impact could be, across its 23,000 servers.
Jones himself said publicly two weeks ago he believes "new vulnerabilities are found every day" and that he was "really worried" about knowing and plugging all the specific holes.
The government reached out to provincial and territorial counterparts, said Jennifer Dawson, deputy chief information officer at Treasury Board Secretariat, as well as “internationally” on the matter.
"We've seen no evidence of this information being compromised,” she said.
"This is an example of the system working really well."