April 30, 2019
Dear division presidents and zone presidents,
This message is to inform you of an incident that occurred on Tuesday, April 23 regarding the CSP’s national website, www.skipatrol.ca
At 10:30 AM (Eastern) on April 23, an individual was able to successfully gain access to the file structure that supports the national website. At this time, the evidence suggests that the individual exploited a vulnerability in the software platform that the website is built around. While it is normal practice to apply all recommended security patches to the software platform, it appears the intrusion took advantage of a previously unidentified vulnerability.
Please note that the National Database System, which resides on the same host server as the website, shows no evidence of being affected by these events. The security of the personal information data of our membership was not compromised. The IT team was able to identify the pattern and evidence left by the intruder; logs associated to the NDS have no anomalies and all activity has been accounted for.
Evidence suggests that damage caused by the intruder was limited to the deletion of several key files needed to run the website, hence the downtime that occurred between April 23 and 24. These files were recovered from the disaster recovery backup which had been run, according to plan, several days earlier. The recovered files were successfully added to the system with no loss of data or functionality. A file scan found no foreign files or malware present in the website structure, and we have ensured that all of the systems are running with the latest software security patches.
In an abundance of caution, we will be reporting the intrusion to the Office of the Privacy Commissioner. A detailed review of this incident was started immediately and took several days to complete. Key leadership was engaged within hours of the intrusion being identified and is continuing to monitor the review. The IT team has revised its policies and will be strengthening all administrative account privileges with new security routines. An IT security audit has also been scheduled, which will probe the site for other vulnerabilities as well as test the IT team’s policies to ensure they are consistent with industry norms.
Please feel free to contact me with any questions or concerns you might have.
Greg McCormick,
Vice-president (Brand and Partners)
This post is also available in: French