A sweeping five-year investigation into the security of federal, provincial and municipal government websites in Canada has uncovered alarming vulnerabilities — from outdated systems to serious coding flaws — leaving public institutions exposed to cyberattacks and putting millions of residents at risk.
At Toronto’s SecTor Cybersecurity Conference, Quebec-based security experts Patrick Mathieu and Patrick Roy revealed that many government websites are running on 20-year-old legacy systems with weak or nonexistent modern protections. The findings show widespread issues including critical misconfigurations, outdated software, exposed interfaces and even vulnerabilities as severe as SQL injection, one of the most dangerous forms of attack that allows hackers to steal data or take complete control of a system.
Researchers even discovered a government website redirecting unsuspecting visitors to pornographic content, the result of SEO poisoning — a technique in which scammers manipulate search results to lure users into clicking compromised links.
Municipalities Hit Especially Hard
Ontario municipal websites were found to contain numerous high-risk vulnerabilities, echoing the devastating 2023 Hamilton ransomware attack that shut down city services for weeks and cost the municipality at least $18.3 million. Audits later showed Hamilton had been warned years earlier about glaring weaknesses — yet never implemented critical fixes.
Provincial officials say new tools, including the Enhancing Digital Security and Trust Act (EDSTA) and the Cyber Security Ontario Learning Portal, are available to improve municipal defences. But cybersecurity leaders warn that simply having tools isn’t enough.
Third-Party Contractors a Major Weak Link
Mathieu said the core issue is that government agencies outsource much of their website development to external companies that lack proper security expertise. Without mandatory audits and compliance testing, insecure systems end up online — and residents pay the price.
“Some cities don’t have the budget or the internal knowledge to request proper security testing,” he explained. “You have to check everyone in the supply chain before trusting them with government data.”
Full details of the investigation will be shared directly with federal, provincial and municipal authorities in the coming weeks.
Growing Consequences for Canadians
Outdated and insecure public websites aren’t just a bureaucratic embarrassment — they pose real dangers for residents:
- Personal data theft: Hackers can target login portals and databases to steal sensitive information.
- Phishing and misinformation: Compromised sites can spread false information or trick users into sharing credentials.
- Service outages: Attacks like ransomware or denial-of-service can shut down essential public services.
- Financial loss: Recovering from cyberattacks can cost municipalities millions, draining taxpayer-funded budgets.
Federal Systems Not Immune
A 2025 cyberattack exposed email addresses and phone numbers tied to CRA, ESDC and CBSA accounts, linked to a breach at a third-party MFA provider, 2Keys. Meanwhile, a recent Auditor General report found major federal gaps including:
- No complete inventory of IT assets across departments
- Insufficient monitoring during active cyberattacks
- Unfunded projects meant to strengthen cyber collaboration
Although ESDC says Canada.ca is protected against SQL injection, the broader system-wide risks remain significant.
The Bottom Line
Cybersecurity experts warn that Canada’s public websites are overdue for modernization, oversight and proper auditing. Without immediate action, governments may continue to operate vulnerable digital infrastructures — leaving residents exposed to identity theft, misinformation and disrupted services.
As Mathieu cautioned, “Cities manage water. Governments manage electricity. These vulnerabilities affect everyone.”