Many Canadian companies are unprepared to deal with cybersecurity attacks against new and expanding computer technologies such as cloud-based computing, a new study says.
Five thousand people's e-mail addresses were obtained through an "unauthorized access" of the Ontario Education Ministry's website.
The ministry's website has been shut down for a week, said Education Ministry spokeswoman Nilani Logeswaran. The Ontario Provincial Police are investigating the breach, and the province has warned the 5,000 affected people to be on the lookout for anyone e-mailing them requests for private information.
All the people affected are members of the public who used the Education Ministry website to look into "workshop opportunities," she said in a statement on Friday evening. No personal information other than the e-mail addresses was obtained.
The discovery was made March 6, and the province has notified the Ontario Provincial Police as well as the province's Information and Privacy Commissioner, said Ms. Logeswaran. The province took down the website immediately and is working to fix the security problem that allowed the access, she said.
"The Ministry has contacted the affected individuals to tell them about this situation and assure them that although the risk is minimal, they should remain vigilant for any e-mails requesting their personal information," she said.
The letter, which was provided to The Globe and Mail, tells recipients that the provincial government will never send an e-mail asking for personal information.
It also says the e-mail addresses were published on a public website before that website was taken down, and it provided the link to the now-defunct website. It is a pastebin.com address, from a website that allows users to post text publicly for a set period of time, but making the source untraceable to viewers.
There's no sign right now that any other Ontario government network or system was also breached, she said. However, the Ministry of Training, Colleges and Universities website was also taken down as a precautionary measure. Both websites should be online again early next week.
For the past week, the homepages of the two government websites have been replaced with messages saying they were down for maintenance.
"Unauthorized access" could mean different things, said cybersecurity expert Raymond Vankrimpen. It could mean the website was vulnerable to the kind of attack that would allow a hacker to take the e-mail addresses from a database. It could also mean that the credentials of someone in the ministry were compromised – for example, if his or her identification and password were taken and used to get into the system.
The risks involved with e-mail addresses are low, since they are already relatively public, said Mr. Vankrimpen. He said informing the people affected and involving the privacy commissioner was a responsible way for the ministry to respond.
A week is an unusually long time for a government website to be down for security reasons, and can indicate that the security fix is complicated, he said. The Heartbleed bug, a serious security weakness, shut down the Canada Revenue Agency's website for about three or four days when it was discovered in April.
In December, all the provincial government websites appeared to be hacked for a few hours when their homepages were suddenly replaced by another image. The government later announced that its own systems hadn't been hacked, but that someone had targeted the domain routing service that brings visitors to their websites, rerouting people to the new page.