Federal officials say no personal information leaked in 'credible' software security threat

Federal government officials say no personal information was compromised by a software security threat that caused the Canada Revenue Agency to shut down online tax services for two days.

CRA's online service was suspended for 2 days after hacking incident at Statistics Canada

The Canada Revenue Agency shut down secure portals of its website for two days after a software vulnerability was detected. (Sean Kilpatrick/Canadian Press)

Federal government officials say no personal information was compromised by a software security risk that prompted a two-day shutdown of Canada Revenue Agency's online tax services.

The issue with the open source software called Apache Struts 2, which is used widely around the world in the public and private sector, prompted the CRA filing portals to go offline Friday. Services were restored late Sunday afternoon.

During a briefing with reporters in Ottawa Monday, officials also revealed that Statistics Canada's website was hacked, but said only data that was already publicly available was accessed from what they called a "soft target."

Jennifer Dawson, deputy chief information officer for the Treasury Board of Canada Secretariat, said IT security disabled affected servers and patched the cracks before returning digital services back to normal.

"Due to our quick and proactive approach, we're confident that we've prevented government information, including the personal information of Canadians, from being breached," she said. "We've seen no evidence of this information being compromised."

Affected services included My Account, My Business Account, Represent a Client, the MyCRA mobile application, the MyBenefits mobile application, Netfile, EFILE and Auto-Fill My Return.

Officials said no tax file processing delays are expected as a result of the service disruption, and confirmed that no filing extensions will be granted as there are still seven weeks left before the May 1 filing deadline.

The security threat was first detected late Wednesday night. Statistics Canada's site was taken offline Thursday a few hours after the security breach, while the CRA site was temporarily suspended Thursday, brought back online and then shut down Friday.

Officials said the delay to shut down the systems was to properly assess the scope of the threat.

Specific, credible threat

John Glowacki, chief operating officer of Shared Services Canada, said the Apache Struts 2 software vulnerability is a world-wide problem that posed a "specific and credible threat" to certain government IT systems.

Canada was well-positioned to respond in a quick and co-ordinated way because federal IT services are managed as a central enterprise rather than in silos, he said. 

John Glowacki, Chief Operating Officer for Shared Services Canada says that the shutdown of the Canadian Revenue Agency and Stas Canada websites was precautionary after a credible threat was discovered. 0:59

"The enterprise approach gives Canada a fairly unique approach in the world," he said. "In talking with colleagues from other countries, we are actually the envy of Five Eyes countries and others because Shared Services Canada exists."

Glowacki said some other countries are having greater difficulties with the vulnerability, but he would not say which ones.

Cyber-security expert Daniel Tobok said he has confidence in Canada's efforts to protect data and infrastructure, but warned that no country is immune from breaches and hacking. Any government department is a potential target, but CRA is considered a "glory of gold" because of the amount of sensitive information it retains on Canadians.

"It's very tempting for organized crime to try and intercept or expose any vulnerability so they can get access to data," he told CBC News.

The CRA said all of its online services were back to normal late Sunday afternoon after being offline since Friday afternoon. (CRA)

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.