Government websites in Canada have been hit by a rash of cyberattacks recently, with the latest one prompting several federal and provincial government agencies to shut down their systems.
On Dec. 10, the Canadian Centre for Cyber Security issued an alert about a “critical vulnerability” in Apache Log4j—a widely used logging software—which would allow an unauthorized actor to hack and access an affected device remotely.
“The Cyber Centre strongly encourages organizations internally review potentially impacted applications. While non-exhaustive, community sources are assisting in these efforts with the identification of impacted products,” the federal cyber security centre said.
Defence Minister Anita Anand issued a statement on Dec. 12 saying the government is aware of the security risk and reiterated the Cyber Centre’s call for all Canadian organizations to “pay attention to this critical internet vulnerability.”
Several federal and provincial government agencies heeded the advice and shut down their websites as a precautionary measure.
The Canada Revenue Agency (CRA) said in a statement issued on Dec. 10 that it was aware of the security vulnerability and decided to take its systems offline. All digital services were later restored on Dec. 14.
“We want to assure you that this precautionary service disruption was done to protect taxpayer information and CRA systems,” the agency said in a Dec. 14 update.
“There is currently no indication that CRA systems have been compromised, or that there has been unauthorized access to taxpayer information because of this vulnerability.”
The Quebec government also shut down roughly 4,000 government websites over the weekend as a preventative measure against a potential cyberattack.
Eric Caire, Quebec’s minister of digital transformation, said the government was unsure which website uses the Apache software, and had to shut them all down for inspection.
Ontario NDP MPP Chris Glover, his party’s critic for technology development and innovation, said the incident serves as a reminder of the importance of “being proactive against cybersecurity threats.”
“I urge the Ontario government to review our systems & processes to ensure we have the highest level of protection for public data and government administered websites,” Glover wrote on social media.
Rideau Hall is another high-level federal institution that was recently targeted by cybercrime.
A representative for Gov. Gen. Mary Simon confirmed in a Dec. 2 statement that there was “unauthorized access” into its internal computer network. The Office of the Secretary to the Governor General said it was working with the Cyber Centre to both undertake an investigation and to strengthen its network.
NL’s Health System Attacked
Newfoundland and Labrador suffered significant disruptions to its health-care system following a cyberattack on Oct. 30, which caused tens of thousands of medical appointments to be cancelled.
N.L. officials confirmed in November that both patient and employee data were stolen in the attack.
The province’s public safety minister, John Hogan, said in a press conference on Dec. 14 that the vast majority of the affected health-care systems are now back online, while most of the province’s health services have been restored. He said N.L. will continue to work with the RCMP and the Cyber Centre to investigate the attack.
“These kinds of cyberattacks are becoming more frequent, and we have seen examples across the Canadian health-care sector, which are increasing at an alarming rate,” Hogan said.
Representatives from each of N.L.’s regional health authorities also spoke at the press conference on the impact of the October system breach, with the most significant damage done to the Eastern Regional Health Authority.
David Diamond, president and CEO of Eastern Health, said 2,514 patients in the region had their social insurance number (SIN) stolen—more than half of which are now deceased.
“The process of collecting SIN numbers as part of registration is being reviewed and mitigation plans are being developed as we speak to prevent this from happening again,” Diamond said.
Eastern Health will be inviting the patients whose personal information was breached as part of the cyberattack to sign up for five years of credit monitoring through the credit reporting agency, Equifax, which Diamond said is part of the mitigation plan.
Diamond said the breach also accessed personal information from patients who’ve had specialized bloodwork and specimens collected across N.L.’s Regional Health Authorities or in private clinics over the past 11 years, as well as the patients’ registration information collected across the province as part of COVID-19 testing.
“While our systems were breached and the personal information was breached, that does not include test results. So folks can take some comfort in that while the personal information has been impacted, test results have not,” he said.