Federal officials say no personal information leaked in 'credible' software security threat

Federal government officials say no personal information was compromised by a software security risk that prompted a two-day shutdown of Canada Revenue Agency's online tax services.

The issue with the open source software called Apache Struts 2, which is used widely around the world in the public and private sector, prompted the CRA filing portals to go offline Friday. Services were restored late Sunday afternoon.

During a briefing with reporters in Ottawa Monday, officials also revealed that Statistics Canada's website was hacked, but said only data that was already publicly available was accessed from what they called a "soft target."

Jennifer Dawson, deputy chief information officer for the Treasury Board of Canada Secretariat, said IT security disabled affected servers and patched the cracks before returning digital services back to normal.

"Due to our quick and proactive approach, we're confident that we've prevented government information, including the personal information of Canadians, from being breached," she said. "We've seen no evidence of this information being compromised."

- Internet 'vulnerability' shuts down CRA 

Affected services included My Account, My Business Account, Represent a Client, the MyCRA mobile application, the MyBenefits mobile application, Netfile, EFILE and Auto-Fill My Return.

Officials said no tax file processing delays are expected as a result of the service disruption, and confirmed that no filing extensions will be granted as there are still seven weeks left before the May 1 filing deadline.

The security threat was first detected late Wednesday night. Statistics Canada's site was taken offline Thursday a few hours after the security breach, while the CRA site was temporarily suspended Thursday, brought back online and then shut down Friday.

Officials said the delay to shut down the systems was to properly assess the scope of the threat.

Specific, credible threat

John Glowacki, chief operating officer of Shared Services Canada, said the Apache Struts 2 software vulnerability is a world-wide problem that posed a "specific and credible threat" to certain government IT systems.

Canada was well-positioned to respond in a quick and co-ordinated way because federal IT services are managed as a central enterprise rather than in silos, he said. 

"The enterprise approach gives Canada a fairly unique approach in the world," he said. "In talking with colleagues from other countries, we are actually the envy of Five Eyes countries and others because Shared Services Canada exists."

Glowacki said some other countries are having greater difficulties with the vulnerability, but he would not say which ones.

Cyber-security expert Daniel Tobok said he has confidence in Canada's efforts to protect data and infrastructure, but warned that no country is immune from breaches and hacking. Any government department is a potential target, but CRA is considered a "glory of gold" because of the amount of sensitive information it retains on Canadians.

"It's very tempting for organized crime to try and intercept or expose any vulnerability so they can get access to data," he told CBC News.