Federal pay system breach shows bad security plan: analyst

The recent security breach to the federal government’s online employee payment system is hardly a surprise considering the public sector has, for an extended period of time, endured criticism regarding its flimsy security procedures, said one analyst.

“This has been going on for years,” said Michelle Warren, principal of Toronto-based MW Research and Consulting.

Last week, the federal government’s online employee pay system, called the Compensation Web Application, suffered a security breach that resulted in the loss of privacy of the compensation information for eight account holders. The self-service system, used by all departments, was shut down upon discovery of the attack.

Warren said the breach illustrates the lack of an overarching strategy and clear vision for the entire government’s IT infrastructure, of which security is just one component. “It is the whole backbone of the government … IT stores all the information of citizens, employees and ministers,” said Warren.

On the topic of government IT security, Warren remarked that the meagre $90 million the Conservative government is committing toward cyber security is “really a drop in the bucket” compared to other countries, such as the U.K., that are allocating the equivalent of $1 billion.

But regardless of the political party in power, Warren said cyber security must be a long-term investment.

This is not the first time this year the Canadian government has suffered a security breach. In February, hackers cut off Internet access for employees of the Treasury Board and Finance Department after using fake e-mails and posing as senior executives requesting passwords.

While servers based in China were used to route the attacks, it is not clear whether the assault actually originated from China itself. Chinese officials denied the attack. Prime Minister Stephen Harper responded that there will be a strategy to evolve government systems.

Following the attack on the Treasury Board and Finance Department, one security expert pointed out that such a strategy should include a cyber security leader or advisory board that spans all government agencies.

“If nobody is working together, you’re always going to have this problem,” said Terry Cutler, co-founder and chief security evangelist at Montreal-based data protection vendor Digital Locksmiths Inc.Cutler’s comments about a lack of uniformity is highlighted by conflicting risk assessments in two audit reports of the Public Works’ pay and pension systems in last week’s breach. In 2010, an audit by Auditor-General Sheila Fraser described the systems to be “close to imminent collapse.” While, the Public Works’ own assessment revealed only a low risk of privacy breach to employees.

Warren makes an educated guess that the less incriminating audit report may have been an attempt to diminish the severity of a “huge public outcry” in light of the upcoming election.

–with files from Rafael Ruffolo

Follow Kathleen Lau on Twitter: @KathleenLau



Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now