Federal officials say no personal information leaked in 'credible' software security threat

Federal government officials say no personal information was compromised by a software security risk that prompted a two-day shutdown of Canada Revenue Agency's online tax services.

The issue with the open source software called Apache Struts 2, which is used widely around the world in the public and private sector,prompted the CRA filing portals to go offline Friday. Services were restored late Sunday afternoon.

During a briefing with reporters in Ottawa Monday, officials also revealed that Statistics Canada's website was hacked, but said only data that was already publicly available was accessed from what they called a "soft target."

Jennifer Dawson, deputy chief information officer for the Treasury Board of Canada Secretariat, said IT security disabledaffected servers and patched the cracksbefore returning digitalservices back to normal.

"Due to our quick and proactive approach, we're confident that we've prevented government information, including the personal information of Canadians, from being breached," she said. "We've seen no evidence of this information being compromised."

• CRA online services running again
• Internet 'vulnerability' shuts down CRA

Affected services included My Account, My Business Account, Represent a Client, theMyCRAmobile application, theMyBenefitsmobile application,Netfile,EFILEand Auto-Fill My Return.

Officials said no tax file processing delaysare expected as a result of the service disruption, and confirmed that no filing extensions will be granted as there are still seven weeks leftbefore the May 1 filing deadline.

The security threat was first detected late Wednesday night. Statistics Canada's site was taken offline Thursday a few hours after the security breach, while the CRA site was temporarily suspended Thursday, brought back onlineand then shut down Friday.

Officials said the delay to shut down the systems was to properly assess the scope of the threat.

Specific, credible threat

John Glowacki, chief operating officer of Shared Services Canada, said the Apache Struts 2 software vulnerability is a world-wide problem that posed a "specific and credible threat" to certain government IT systems.

Canada was well-positioned to respond in a quick and co-ordinated way because federal IT services are managed as a central enterprise rather than in silos, he said.

Canada Revenue Agency website shutdown was precautionary

8 years ago

Duration 0:59

John Glowacki, Chief Operating Officer for Shared Services Canada says that the shutdown of the Canadian Revenue Agency and Stas Canada websites was precautionary after a credible threat was discovered.

"The enterprise approach gives Canada a fairly unique approach in the world," he said. "In talking with colleagues from other countries, we are actually the envy of Five Eyes countries and others because Shared Services Canada exists."

Glowacki said some other countries are having greater difficulties with the vulnerability, but he would not say which ones.

Cyber-security expert Daniel Toboksaid he has confidence in Canada's efforts to protect data and infrastructure, but warned that no country is immune from breaches and hacking. Any government department is a potential target, but CRA is considered a "glory of gold" because of the amount of sensitive information it retains on Canadians.

"It's very tempting for organized crime to try and intercept or expose any vulnerabilityso they can get access to data," he told CBC News.