Federal pay system breach shows bad security plan: analyst

The recent security breach to the federal government’s online employee payment system is hardly a surprise considering the public sector has, for an extended period of time, endured criticism regarding its flimsy security procedures, said one analyst.

“This has been going on for years,” said Michelle Warren, principal of Toronto-based MW Research and Consulting.

Last week, the federal government’s online employee pay system, called the Compensation Web Application, suffered a security breach that resulted in the loss of privacy of the compensation information for eight account holders. The self-service system, used by all departments, was shut down upon discovery of the attack.

Warren said the breach illustrates the lack of an overarching strategy and clear vision for the entire government’s IT infrastructure, of which security is just one component. “It is the whole backbone of the government … IT stores all the information of citizens, employees and ministers,” said Warren.

On the topic of government IT security, Warren remarked that the meagre $90 million the Conservative government is committing toward cyber security is “really a drop in the bucket” compared to other countries, such as the U.K., that are allocating the equivalent of $1 billion.

But regardless of the political party in power, Warren said cyber security must be a long-term investment.

This is not the first time this year the Canadian government has suffered a security breach. In February, hackers cut off Internet access for employees of the Treasury Board and Finance Department after using fake e-mails and posing as senior executives requesting passwords.

While servers based in China were used to route the attacks, it is not clear whether the assault actually originated from China itself. Chinese officials denied the attack. Prime Minister Stephen Harper responded that there will be a strategy to evolve government systems.

Following the attack on the Treasury Board and Finance Department, one security expert pointed out that such a strategy should include a cyber security leader or advisory board that spans all government agencies.

“If nobody is working together, you’re always going to have this problem,” said Terry Cutler, co-founder and chief security evangelist at Montreal-based data protection vendor Digital Locksmiths Inc.Cutler’s comments about a lack of uniformity is highlighted by conflicting risk assessments in two audit reports of the Public Works’ pay and pension systems in last week’s breach. In 2010, an audit by Auditor-General Sheila Fraser described the systems to be “close to imminent collapse.” While, the Public Works’ own assessment revealed only a low risk of privacy breach to employees.

Warren makes an educated guess that the less incriminating audit report may have been an attempt to diminish the severity of a “huge public outcry” in light of the upcoming election.

–with files from Rafael Ruffolo

Follow Kathleen Lau on Twitter: @KathleenLau

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now