Federal officials say a series of cyberattacks that compromised the personal information of thousands of Canadians and allowed hackers to fraudulently access government services has been brought under control.
the attacks targeted the Canada Revenue Agency (CRA) and GCKey, a secure online portal that allows Canadians to access services such as employment insurance, veterans’ benefits and immigration applications.
Acting chief information officer for the Treasury Board of Canada Secretariat Marc Brouillard said the attacks were a form of “credential stuffing,” where hackers fraudulently obtain usernames and passwords to accounts on other websites, and take advantage of the fact that many people use the same password for different accounts.
“By using previously hacked usernames and passwords, the bad actors were able to fraudulently acquire approximately 9,000 of the roughly 12 million active [GCKey] accounts, a third of which accessed such services and are being further examined for suspicious activities,” said Brouillard.
“The [Government of Canada] has worked around the clock to reduce the threat to Canadians affected … The credential stuffing attack on GC has ceased.”
Brouillard said the affected accounts were cancelled as soon as the threat was discovered, and departments are contacting users whose credentials were compromised to provide instructions on how to receive a new GCKey.
CRA online services for individuals temporarily disabled
Annette Butikofer, chief information officer at CRA, said the tax agency was impacted by three separate cybersecurity incidents that may have allowed fraudsters to access the CRA My Account of 5,600 individuals.
The first attack occurred when hackers involved in the GCKey attack gained access to 3,400 CRA accounts.
A second attack took place last week where hackers took advantage of a vulnerability in the agency’s software that allowed them to bypass the normally-required security question and gain access to a user accounts.
The third attack took place over the weekend, causing CRA to temporarily cut off access to its online services on Sunday, including services connected to My Account, My Business Account and Represent a Client.
The decision comes at a time when millions of Canadians and businesses have been using the revenue agency’s website to apply for and access financial support related to the COVID-19 pandemic.
“CRA takes the protection of taxpayers’ information very seriously,” said Butikofer. The confidence and trust that individuals and businesses have are the cornerstones of Canada’s tax system.”
Butikofer said My Business Account, which is used by employers, is back online with additional safety measures so employers can apply for the most recent round of the emergency wage subsidy.
She said CRA hopes to have its online services for individuals back up and running by mid-week.
CRA shuts down online services after thousands of accounts breached in cyberattacks
Butikofer said all the hacked accounts have been temporarily revoked, and each person impacted will receive a letter from the CRA telling them how they can confirm their identity and regain access to their account.
The RCMP has confirmed that its National Division, which investigates “sensitive, high profile cases that threaten Canada’s political, economic and social integrity,” is actively looking into the attacks. The Office of the Privacy Commissioner of Canada is also monitoring the situation.
The Canadian Anti-Fraud Centre says more than 13,000 Canadians have been victims of fraud totalling $51 million this year. There have been 1,729 victims of COVID-19 fraud worth $5.55 million