Advertisement

Yukon gov't websites appear to have been hacked: expert

A couple of Yukon government websites appear to have been hacked, according to a computer science expert. One website redirected visitors to porn.

The government said that it's working to fix the issues, and it doesn't appear at the moment that any private information was improperly accessed.

Diane McLeod-McKay, Yukon's information and privacy commissioner, said on Friday that her office is looking into the matter.

One of the websites in question contains Yukon Public Libraries' catalogue. The website has an area for people to log in using a library card number number.

Several URLs that start with the beginning of the website's address (pac.gov.yk.ca) immediately redirected visitors to websites containing pornographic images of women. That redirection appears to have stopped, and the site was shut down on Friday.

Nur Zincir-Heywood, a professor of computer science at Dalhousie University in Halifax, said there are several ways an issue like this could arise.

She stressed that her knowledge is limited on this particular situation, in part because she wasn't personally involved in this website's security measures, but she said it sounds like a hacker was able to put a malicious script on the website to cause the redirection.

"Sometimes these attacks could be used as stepping stones," Zincir-Heywood said.

A CBC reporter unintentionally discovered the issue on Wednesday while searching a government website.

The CBC asked Yukon's Department of Community Services about the redirecting pages that day. The following day, spokesperson Stacie Zaychuk said that the director of Yukon Public Libraries didn't know of any security issues with the website.

A few hours later, the redirection to the porn sites stopped.

"Definitely, somebody found an exploit, a way to make the site do something that it shouldn't do," said Mark Burns, director of E-Services for Citizens, part of the Department Highways and Public Works, on Friday.

Of the 115 redirects over the last 30 days, 100 happened to an automated bot run out of California. The rest were experienced by real users, including probably several people investigating the issue when it was brought to light on Thursday, he said.

The bot redirected traffic to those porn sites with the aim of improving search rankings of those porn sites, Burns said.

He said he wasn't sure if the usernames and passwords for the login system on the Yukon Public Libraries' website was stored on the website itself, and that's one of the reasons why the website was shut down.

"There is no evidence that anyone had access to the actual site, to the administration panel, or altered the site or had access to any of the files on the server," Burns said, noting that's just the understanding so far in the investigation and that things can change.

It's not known yet how long the website's vulnerability was taken advantage of, he said.

McLeod-McKay said her office learned about these website issues from an earlier version of this article.

"We have since reached out to Yukon government to have them follow up to determine whether or not there's been any personal information at risk," she said.

The government is following its breach protocols, which involve looking into the issues, McLeod-McKay said.

"If there was a breach of privacy, [the government] would generally provide us with a report," she said.

Under the Access to Information and Protection of Privacy Act, the government does not have to report privacy breaches to her office nor notify people affected by a breach, McLeod-McKay said.

Still, she said, "both public bodies would be notifying individuals if there's a risk of significant harm to an individual as a result of a breach."

If McLeod-McKay's office gets a report, staff members will go through it, see what the government did to address the issues, and provide potential recommendations. The government doesn't have to follow those recommendations, but it generally does, she said.

Steve Silva/CBC
Steve Silva/CBC

The CBC also found what could be an issue with the website of Lotteries Yukon, an organization that handles administrative matters for the Yukon Lottery Commission, apparent by looking at cached pages from the website.

Cached pages are essentially snapshots of what web pages looked like at a particular time. They're viewable via Google's search engine.

Cached pages of the organization's website dated June 10 and July 3 show a page that's a version of a blog by an apparent fitness professional in the U.K. and a Russian-language page about shoes, respectively — nothing about Lotteries Yukon.

Much of the website is offline due to "some technical difficulties," retail and sales officer Melissa Hale said in an email on Aug. 4.

"There was no personal information at risk."

Further details about what happened weren't provided by Lotteries Yukon, and requests for an interview weren't fulfilled.

"It seems like they belong to the same category of attack behaviour," but that doesn't necessarily mean they were done by the person, Zincir-Heywood said of the websites' issues.

She said that once a website is compromised, it should be taken off the internet. An analysis should also be done to figure out what happened, including determining if there are more issues, in order to address vulnerabilities.

A number of territorial government websites have been attacked over the last year or so. In April, the Northwest Territories Power Corporation went offline after an apparent ransomware attack. That followed an attack on Nunavut's government websites in November 2019.