Cyber Incident Victim: Statistics Canada

On or around March 13, 2017, the Statistics Canada (statcan.gc.ca) website experienced a cyberattack that forced it offline for more than two days. Hackers exploited a recently identified vulnerability in Apache Struts 2 software, a framework widely used in government web infrastructure. The Apache Software Foundation had publicly disclosed the flaw and released a patch just days before the incident. Canadian authorities confirmed the breach and characterized the vulnerability as posing a "specific and credible threat" to government systems. The attack coincided with peak tax filing season, amplifying operational disruptions. Following the Statistics Canada compromise, officials proactively took portions of the Canada Revenue Agency's (CRA) website offline as a precautionary measure, though they confirmed the CRA itself had not been breached. The shared use of the vulnerable Apache Struts 2 software across both sites drove this containment decision.

The incident caused significant service interruptions during a high-traffic period for public access to government resources. Statistics Canada's communications director stated no personal, sensitive, or confidential data was compromised, noting that affected website content consisted exclusively of publicly available information. Technical experts indicated the exploited vulnerability could theoretically enable data theft or complete website shutdowns, though only service disruption materialized in this case. Government IT teams worked to apply the Apache-issued patch and restore services after mitigating the immediate threat. The coordinated response highlighted systemic risks posed by widely deployed software dependencies within critical infrastructure. No additional attacker motives, identities, or data exfiltration claims were substantiated in official disclosures regarding the incident.