Hackers infiltrate province's IT system 6 times in 2 years
P.E.I. government emails, usernames, passwords accessed in cyber attacks
Hackers were able to gain access to email accounts, install malware and obtain administrative usernames and passwords.
Information about the data breaches was outlined in a response to a CBC News request under the province's Freedom of Information Act.
The province was notified about the first incident on Oct. 12 by the federal agency, the Canadian Cyber Incident Response Network.
Hackers obtained more than 200 administrative usernames and passwords to allow modifications to the province's website.
The province said the website was not altered in any way.
However, in response to the Freedom-of-Information request the province said the website was compromised the next day, but the content was removed and fixed.
The province said the hackers posted the usernames and encrypted passwords on another website, but that anyone wanting to use the information would have had to decrypt the passwords.
The government won't say how the information was obtained, only that it has changed the system so hackers can't gain access again using the same exploit.
"The province has been continuously improving the depth and level of the security, again in the face of an ever-increasing number of exploits that's available," said Scott Cudmore, a director with the province's information technology division.
At no time over the past two years have hackers obtained any personal information, said Cudmore.
But twice within the space of a week in June of 2013, hackers were able to crack into a small number of government email accounts using malware, malignant software programs which in this case tested accounts using common passwords, including the person's username.
The province says email accounts which were hacked used "weak passwords." The hacker or hackers involved tried to use the government email addresses to send tens of thousands of spam emails, but government shut the distribution down after only a small number were delivered.
Since those breaches, government has implemented stricter password protocols for email accounts.
But that's not enough, said IT security expert Travis Barlow of Halifax.
All the Atlantic provinces should move to what's called two-factor authentication, which makes email more secure, but also makes accessing your own account more difficult, he said.
"Getting back to the fact that they're compromised based on weak passwords, that really comes back to the need for the government to set up a complexity arrangement on their email policy," said Barlow.
Barlow said passwords should contain at least eight characters with at least one upper case, at least one number, one symbol or special character.
Although eight characters is probably still not complex enough, he said.
"If they have weak passwords, chances are, they don't have that enforced."
Barlow said there were probably more attacks than those listed by the P.E.I. government.
|Oct. 29, 2012||province's public website compromised|
|Oct. 30, 2012||compromise was located on website|
|June 3, 2012||malware detected on government department workstations|
|June 8, 2013||email accounts compromised, spam sent to external addresses|
|June 14, 2013||email accounts compromised, spam sent to external addresses|
|June 28, 2013||malware detected on unauthorized wireless device|