On Monday, the government announced that it had shut down a couple of its websites after hackers exploited a vulnerable web server by utilizing a previously-unknown software bug.
Both Canada Revenue Agency (CRA) and Statistics Canada disclosed that they were victims of a data breach due to a security bug in the website software known as Apache Struts 2. The software is often used in websites of governments, financial institutions, retailers, and other large organizations.
Learn more about data breach insurance here.
“Due to our quick and pro-active approach, we’re confident that we’ve prevented government information, including the personal information of Canadians, from being breached. We’ve seen no evidence of this information being compromised,” said Treasury Board of Canada Secretariat deputy chief information officer Jennifer Dawson during a technical briefing Monday.
Developer Apache Software Foundation released a patch last week to fix the bug, revealing that the exploit allowed hackers to gain remote control of a web server. The patch allowed the CRA and Statistics Canada to relaunch their websites on Sunday.
Want the latest insurance industry news first? Sign up for our completely free newsletter service now.
“This vulnerability is super easy to exploit,” Veracode chief technology officer with security software Chris Wysopal explained to Reuters. “You just point it to the web server and put in the command that you want to run.”
Other government websites may have been affected by the cyberattack, but only Statistics Canada and the CRA, to date, have come forward regarding news of the breaches.
Security firms said they are expecting more attacks to come as details of the software exploit were posted on security forums and hacking websites the previous week.
The Globe and Mail reported that Cisco Systems had actually issued an advisory about the software vulnerability last Monday, but government officials did not identify the problem with its systems until Wednesday evening. After the CRA’s online tax filing system was hacked, Statistics Canada’s website was attacked the next day, shutting down within three to four hours after the breach.
Officials said that the hacker only accessed the agency’s public-facing website and did not seem to steal any information. Although the government does not know who perpetrated the hacks, it is not ruling out the possibility of foreign-government involvement.
Related stories:
Cyber-light policies aren’t worth it and they’re everywhere: cyber leader
Canada may be next target of Russian cyber attack: Report